#VU45430 Resource management error in PHP - CVE-2010-4697

Cybersecurity Help s.r.o.

Published: 2011-01-18 | Updated: 2020-08-11

Vulnerability identifier: #VU45430

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2010-4697

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Use-after-free vulnerability in the Zend engine in PHP before 5.2.15 and 5.3.x before 5.3.4 might allow context-dependent attackers to cause a denial of service (heap memory corruption) or have unspecified other impact via vectors related to use of __set, __get, __isset, and __unset methods on objects accessed by a reference.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PHP: 1.0, 2.0b10, 2.0, 3.0 - 3.0.18, 4.0 - 4.0.7, 4.1.0 - 4.1.2, 4.2.0 - 4.2.3, 4.3.0 - 4.3.11, 4.4.0 - 4.4.9, 5.0.0 - 5.0.5, 5.1.0 - 5.1.6, 5.2.0 - 5.2.13, 5.3.0 - 5.3.3

External links
https://bugs.php.net/52879
https://marc.info/?l=bugtraq&m=133469208622507&w=2
https://www.php.net/ChangeLog-5.php
https://www.securityfocus.com/bid/45952
https://exchange.xforce.ibmcloud.com/vulnerabilities/65310
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12528

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in PHP