CVE-2006-4812

Advisory lineage Upstream: 0 Downstream: 2
Modified
Published: 09 Oct 2006, 18:00
Last modified:07 Aug 2024, 19:23

Vulnerability Summary

Overall Risk (default)
critical
90/100
CVSS Score
10 HIGH
v2.0 (nvd)
EPSS Score
39.41% HIGH
39% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

09 Oct 2006, 18:00
Published
Vulnerability first disclosed
07 Aug 2024, 19:23
Last Modified
Vulnerability information updated

Description

Integer overflow in PHP 5 up to 5.1.6 and 4 before 4.3.0 allows remote attackers to execute arbitrary code via an argument to the unserialize PHP function with a large value for the number of array elements, which triggers the overflow in the Zend Engine ecalloc function (Zend/zend_alloc.c).

CVSS Metrics

  • v2.0HIGHScore: 10AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 39.41% Percentile: 97%

Techniques & Countermeasures

  • CWE-94Improper Control of Generation of Code ('Code Injection')

    The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Affected Systems

  • UnknownPHP

    4.0 | 4.0.1 | 4.0.1:patch1 | 4.0.1:patch2 | 4.0.2 | 4.0.3 | 4.0.3:patch1 | 4.0.4 | 4.0.5 | 4.0.6 | 4.0.7 | 4.0.7:rc1 | 4.0.7:rc2 | 4.0.7:rc3 | 4.1.0 | 4.1.1 | 4.1.2 | 4.2 | 4.2.0 | 4.2.1 | 4.2.2 | 4.2.3 | 5.0:rc1 | 5.0:rc2 | 5.0:rc3 | 5.0.0 | 5.0.1 | 5.0.2 | 5.0.3 | 5.0.4 | 5.0.5 | 5.1.0 | 5.1.1 | 5.1.2 | 5.1.3 | 5.1.4 | 5.1.5 | 5.1.6

References (26)