Deserialization of untrusted data in PHP - CVE-2016-9138
Published: January 4, 2017 / Updated: April 5, 2018
Vulnerability identifier: #VU10334
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-9138
CWE-ID: CWE-502
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: PHP Group
Affected software:
PHP
PHP
Detailed vulnerability description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to unsafe handling of serialized data when processing property modification during __wakeup(). A remote attacker can pass specially crafted serialized data to the application and cause denial of service attack.
The vulnerability exists due to unsafe handling of serialized data when processing property modification during __wakeup(). A remote attacker can pass specially crafted serialized data to the application and cause denial of service attack.
How to mitigate CVE-2016-9138
Update to version 5.6.28 or 7.0.13.