CVE-2016-7131

ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via a malformed wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a tag that lacks a < (less than) character.

References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type: GIT
Repo: https://github.com/php/php-src
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

90fc27f17abb5cb9c7006987fe53b62d66f981a7

Affected versions

Other

NEWS

NEWS-cvs2svn

POST_64BIT_BRANCH_MERGE

POST_AST_MERGE

POST_NATIVE_TLS_MERGE

POST_PHP7_EREG_MYSQL_REMOVALS

POST_PHP7_NSAPI_REMOVAL

POST_PHP7_REMOVALS

POST_PHPNG_MERGE

PRE_64BIT_BRANCH_MERGE

PRE_AST_MERGE

PRE_NATIVE_TLS_MERGE

PRE_PHP7_EREG_MYSQL_REMOVALS

PRE_PHP7_NSAPI_REMOVAL

PRE_PHP7_REMOVALS

PRE_PHPNG_MERGE

php-5.*

php-5.3.23RC1

php-5.3.29

php-5.3.29RC1

php-5.4.30RC1

php-5.4.32RC1

php-5.4.4RC2

php-5.5.24RC1

php-7.*

php-7.0.0

php-7.0.0RC1

php-7.0.0RC2

php-7.0.0RC3

php-7.0.0RC4

php-7.0.0RC5

php-7.0.0RC6

php-7.0.0RC7

php-7.0.0RC8

php-7.0.0alpha1

php-7.0.0alpha2

php-7.0.0beta1

php-7.0.0beta2

php-7.0.0beta3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-7131.json"