SERVER-WEBAPP PHP unserialize var_hash use-after-free attempt
ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors related to session deserialization.
CVSS base score 9.8 CVSS impact score 5.9 CVSS exploitability score 3.9 confidentialityImpact HIGH integrityImpact HIGH availabilityImpact HIGH
CVE-2016-6290:
CVSS base score 9.8
CVSS impact score 5.9
CVSS exploitability score 3.9
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH
CVE-2016-6290: ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors related to session deserialization.
CVE-2016-6290:
Access Vector
Access Complexity
Authentication
None known
None known
Upgrade to the latest non-affected version of the software.
Apply the appropriate vendor supplied patches.
©2020 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
Privacy Policy | Snort License | FAQ | Sitemap
