KLA10944
Denial of service and arbitrary code execution vulnerabilities in PHP
Updated: 05/22/2020
Detect date
?
01/11/2017
Severity
?
Critical
Description

An improper implementation of the SplObjectStorage unserialize in ext/spl/spl_observer.c was found in PHP before 7.0.12. By exploiting this vulnerability malicious users can execute arbitrary code or cause a denial of service. This vulnerability can be exploited remotely via a specially designed serialized data.


Technical details

Vulnerability occurs because an implementation does not verify whether a key is an object or not.

Affected products

PHP 7.x before 7.0.12

Solution

Update to the latest version
Download PHP

Original advisories

PHP Bug Tracking System

Impacts
?
ACE 
[?]

DoS 
[?]
Related products
PHP
CVE-IDS
?
CVE-2016-74807.5Critical