CVE-2016-10712

In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of stream_get_meta_data can be controlled if the input can be controlled (e.g., during file uploads). For example, a "$uri = stream_get_meta_data(fopen($file, "r"))['uri']" call mishandles the case where $file is data:text/plain;uri=eviluri, -- in other words, metadata can be set by an attacker.

Published: Feb 9, 2018
Updated: Apr 13, 2023
CVE: CVE-2016-10712
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
php / php	-	5.5.31.x
php / php	5.6.0	5.6.17.x
php / php	7.0.0	7.0.2.x
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	14.04	14.04.x
canonical / ubuntu_linux	17.10	17.10.x

https://bugs.php.net/bug.php?id=71323
https://git.php.net/?p=php-src.git;a=commit;h=6297a117d77fa3a0df2e21ca926a92c231819cd5
https://git.php.net/?p=php-src.git%3Ba=commit%3Bh=6297a117d77fa3a0df2e21ca926a92c231819cd5
https://usn.ubuntu.com/3566-2/
https://usn.ubuntu.com/3600-1/

Vulnerability Database

289,697

CVE-2016-10712