Fluid Attacks Database

Description

Format string vulnerability in stream.c in the phar extension in PHP 5.3.x through 5.3.3 allows context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the phar_stream_flush function, leading to errors in the php_stream_wrapper_log_error function. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-2094.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel6	php	<0:5.3.3-14.el6_3	0:5.3.3-14.el6_3
rpm rhel5	php53	<0:5.3.3-13.el5_8	0:5.3.3-13.el5_8

Aliases

1. CVE-2010-29502. NVD-2010-29503. OSV-2010-2950

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.