Description

php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object.

Remediation

References

CVE-2016-5773

Related Vulnerabilities

Oracle JRE CVE-2017-10345 Vulnerability (CVE-2017-10345)

WordPress Plugin Adifier System Multiple Vulnerabilities (3.1.3)

WordPress 4.1.x Multiple Vulnerabilities (4.1 - 4.1.28)

WordPress Plugin WP Songbook Cross-Site Scripting (2.0.11)

WordPress Plugin Lana Email Logger Cross-Site Scripting (1.0.2)

Severity

Critical

Classification

CVE-2016-5773 CWE-416 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities