Description

The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.

Remediation

References

CVE-2016-4343

Related Vulnerabilities

WordPress Plugin Search & Replace PHP Object Injection (3.2.2)

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2015-3273)

PostgreSQL CVE-2024-0985 Vulnerability (CVE-2024-0985)

WordPress Plugin Live Scores for SportsPress Multiple Vulnerabilities (1.9.0)

Apache Tomcat Improper Input Validation Vulnerability (CVE-2013-4286)

Severity

High

Classification

CVE-2016-4343 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities