Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-3450

Overview

Vulnerability Score 2.6 2.6
CVE Id CVE-2012-3450
Last Modified 18 Apr 2013 11:23:28
Published 06 Aug 2012 12:55:05
Confidentiality Impact NONE NONE
Integrity Impact NONE NONE
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity HIGH
Authentication NONE

CVE-2012-3450

Summary

pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x before 5.4.4 does not properly determine the end of the query string during parsing of prepared statements, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted parameter value.

Vulnerable Systems

Application

  • Php 5.3.0

  • Php 5.3.1

  • Php 5.3.10

  • Php 5.3.11

  • Php 5.3.12

  • Php 5.3.13

  • Php 5.3.2

  • Php 5.3.3

  • Php 5.3.4

  • Php 5.3.5

  • Php 5.3.6

  • Php 5.3.7

  • Php 5.3.8

  • Php 5.3.9

  • Php 5.4.0

  • Php 5.4.1

  • Php 5.4.2

  • Php 5.4.3


References

CONFIRM - https://bugzilla.novell.com/show_bug.cgi?id=769785

CONFIRM - https://bugs.php.net/bug.php?id=61755

CONFIRM - http://www.php.net/ChangeLog-5.php

BUGTRAQ - 20120610 [php<=5.4.3] Parsing Bug in PHP PDO prepared statements may lead to access violation

DEBIAN - DSA-2527

SUSE - SUSE-SU-2012:1033

MLIST - [oss-security] 20120802 Re: CVE Request: php5 pdo array overread/crash

MLIST - [oss-security] 20120802 CVE Request: php5 pdo array overread/crash

UBUNTU - USN-1569-1

MANDRIVA - MDVSA-2012:108

Related Patches

Novell SUSE 2012:6634 apache2-mod_php53 security update for SLES 11 SP2 i586

Novell SUSE 2012:6634 apache2-mod_php53 security update for SLES 11 SP2 x86_64


Last Updated: 27 May 2016 10:55:02