SB2017091928 - Multiple vulnerabilities in PHP



SB2017091928 - Multiple vulnerabilities in PHP

Published: September 19, 2017 Updated: June 13, 2025

Security Bulletin ID SB2017091928
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Partial DoS

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Resource management error (CVE-ID: CVE-2010-4150)

CWE-ID: CWE-399 - Resource Management Errors

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Double free vulnerability in the imap_do_open function in the IMAP extension (ext/imap/php_imap.c) in PHP 5.2 before 5.2.15 and 5.3 before 5.3.4 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2010-3436)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to corrupt data.

fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow remote attackers to bypass open_basedir restrictions via vectors related to the length of a filename.


3) NULL pointer dereference (CVE-ID: CVE-2010-3709)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4:


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via a crafted ZIP archive.


4) Resource management error (CVE-ID: CVE-2010-3710)

CWE-ID: CWE-399 - Resource Management Errors

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Stack consumption vulnerability in the filter_var function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows remote attackers to cause a denial of service (memory consumption and application crash) via a long e-mail address string.


Remediation

Install update from vendor's website.

References