← Back

CVE-2015-3412

nvd nist
Published: May 16, 2016Modified: May 6, 2026

JSON object

Loading...
5.3
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Exploitability: 3.9 / Impact: 1.4
Source: NVD

Description

PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension.

Affected (41)

Php
1 product
Php
Redhat
7 products
Enterprise Linux Desktop
Enterprise Linux Hpc Node
Enterprise Linux Hpc Node Eus
Enterprise Linux Server
Enterprise Linux Server Eus
Enterprise Linux Workstation
Enterprise Linux
Configuration A
33 vulnerable
Vulnerable SoftwareAffected Versions
Php
Php
Up to 5.4.39
Php
Version 5.5.0
Php
Version 5.5.10
Php
Version 5.5.11
Php
Version 5.5.12
Php
Version 5.5.13
Php
Version 5.5.14
Php
Version 5.5.15
Php
Version 5.5.16
Php
Version 5.5.17
Php
Version 5.5.18
Php
Version 5.5.19
Php
Version 5.5.1
Php
Version 5.5.20
Php
Version 5.5.21
Php
Version 5.5.22
Php
Version 5.5.23
Php
Version 5.5.2
Php
Version 5.5.3
Php
Version 5.5.4
Php
Version 5.5.5
Php
Version 5.5.6
Php
Version 5.5.7
Php
Version 5.5.8
Php
Version 5.5.9
Php
Version 5.6.0
Php
Version 5.6.1
Php
Version 5.6.2
Php
Version 5.6.3
Php
Version 5.6.4
Php
Version 5.6.5
Php
Version 5.6.6
Php
Version 5.6.7
Configuration B
6 vulnerable
Vulnerable SoftwareAffected Versions
Enterprise Linux Desktop
Version 7.0
Enterprise Linux Hpc Node
Version 7.0
Enterprise Linux Hpc Node Eus
Version 7.1
Enterprise Linux Server
Version 7.0
Enterprise Linux Server Eus
Version 7.1
Enterprise Linux Workstation
Version 7.0
Configuration C
2 vulnerable
Vulnerable SoftwareAffected Versions
Redhat
Enterprise Linux
Version 6.0
Enterprise Linux
Version 7.0

Related CWEs

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-254
CWE-254

References (20)

Source: cve@mitre.org
Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
ExploitVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitVendor Advisory

Timeline

No history available yet.