CVE-2016-10712 — Improper Input Validation in PHP

CWE-20 — Improper Input Validation9 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.6%

top 31.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Php5 PHP Canonical Ubuntu Linux

Timeline

PublishedFeb 9

Latest updateMay 14

Description

In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of stream_get_meta_data can be controlled if the input can be controlled (e.g., during file uploads). For example, a "$uri = stream_get_meta_data(fopen($file, "r"))['uri']" call mishandles the case where $file is data:text/plain;uri=eviluri, -- in other words, metadata can be set by an attacker.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶Ubuntuphp5/php5< 5.5.9+dfsg-1ubuntu4.24+1

▶NVDphp/php5.6.0 — 5.6.17+2

Also affects: Ubuntu Linux 14.04, 16.04, 17.10

Patches

Patch: bugs.php.net ↗Patch: bugs.php.net ↗

🔴Vulnerability Details

GHSA

GHSA-5jr3-87vw-j587: In PHP before 5↗2022-05-14

▶

OSV

php5 vulnerabilities↗2019-05-22

▶

OSV

php5, php7.0, php7.1 vulnerabilities↗2018-03-19

▶

OSV

CVE-2016-10712: In PHP before 5↗2018-02-09

▶

📋Vendor Advisories

Ubuntu

PHP vulnerabilities↗2019-05-22

▶

Ubuntu

PHP vulnerabilities↗2018-03-19

▶

Red Hat

php: Output of stream_get_meta_data can be falsified by its input↗2016-01-10

▶

💬Community

Bugzilla

CVE-2016-10712 php: Output of stream_get_meta_data can be falsified by its input↗2016-02-08

▶