UBUNTU-CVE-2016-10712

Advisory lineage Upstream: 1 Downstream: 2
Upstream
CVE-2016-10712
Published: 09 Feb 2018, 00:00
Last modified:22 Apr 2026, 10:30

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.5 HIGH
3.0 (osv_ubuntu)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

09 Feb 2018, 00:00
Published
Vulnerability first disclosed
22 Apr 2026, 10:30
Last Modified
Vulnerability information updated

Description

In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of stream_get_meta_data can be controlled if the input can be controlled (e.g., during file uploads). For example, a "$uri = stream_get_meta_data(fopen($file, "r"))['uri']" call mishandles the case where $file is data:text/plain;uri=eviluri, -- in other words, metadata can be set by an attacker.

CVSS Metrics

  • v3.0HIGHScore: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected Systems

  • ubuntuphp5

    < 5.5.9+dfsg-1ubuntu4.24

References (4)