#VU525 Arbitrary code execution


Published: 2016-09-19

Vulnerability identifier: #VU525

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2016-7414

CWE-ID: CWE-284

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description
The vulnerability allows a remote or local user to cause arbitrary code execution on the target system.
The weakness is caused by out-of-bounds memory error in phar_parse_zipfile() that allows a malicious user to execute arbitrary code.
Successful explotation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation
Update to 5.6.26.
http://php.net/ChangeLog-5.php#5.6.26
Update to 7.0.11.
http://php.net/ChangeLog-7.php#7.0.11

Vulnerable software versions

PHP: 7.0.11, 5.6.26


CPE


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability