Description

PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup.

Remediation

References

CVE-2016-9138

Related Vulnerabilities

MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-6332)

WordPress 3.8.x Multiple Vulnerabilities (3.8 - 3.8.33)

WordPress Plugin WP-Spreadplugin Cross-Site Scripting (3.8.6)

Ruby Improper Authentication Vulnerability (CVE-2007-5162)

Internet Information Services Other Vulnerability (CVE-2001-0333)

Severity

Critical

Classification

CVE-2016-9138 CWE-416 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities