CVE-2016-4072
- Source
- https://cve.org/CVERecord?id=CVE-2016-4072
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-4072.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2016-4072
- Downstream
- Published
- 2016-05-20T11:00:16.663Z
- Modified
- 2026-04-11T12:01:16.740065Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via a crafted filename, as demonstrated by mishandling of \0 characters by the pharanalyzepath function in ext/phar/phar.c.
- Database specific
{ "unresolved_ranges": [ { "cpe": "cpe:2.3:a:php:php:5.6.0:alpha4:*:*:*:*:*:*", "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "5.6.0-alpha4" } ] }, { "cpe": "cpe:2.3:a:php:php:5.6.0:alpha5:*:*:*:*:*:*", "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "5.6.0-alpha5" } ] }, { "cpe": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*", "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "10.11.4" } ] } ] }- References
-
- http://lists.apple.com/archives/security-announce/2016/May/msg00004.html
- http://www.openwall.com/lists/oss-security/2016/04/24/1
- http://www.php.net/ChangeLog-5.php
- http://www.php.net/ChangeLog-7.php
- http://www.securityfocus.com/bid/85993
- https://bugs.php.net/bug.php?id=71860
- https://gist.github.com/smalyshev/80b5c2909832872f2ba2
- https://git.php.net/?p=php-src.git%3Ba=commit%3Bh=1e9b175204e3286d64dfd6c9f09151c31b5e099a
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
- https://support.apple.com/HT206567
- http://rhn.redhat.com/errata/RHSA-2016-2750.html
- http://www.debian.org/security/2016/dsa-3560
- http://www.ubuntu.com/usn/USN-2952-1
- http://www.ubuntu.com/usn/USN-2952-2
- https://security.gentoo.org/glsa/201611-22
Affected packages
Git / github.com/php/php-src
Affected ranges
- Type
- GIT
- Repo
- https://github.com/php/php-src
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affected
- Database specific
{ "cpe": [ "cpe:2.3:a:php:php:5.6.0:alpha1:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.0:alpha2:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.0:alpha3:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.7:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.9:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.10:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.11:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.12:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.13:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.14:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.15:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.16:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.17:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.18:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.6.19:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:7.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:7.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:7.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.0:alpha1:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.0:alpha2:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.0:alpha3:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.0:alpha4:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.0:alpha5:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.0:alpha6:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.7:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.9:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.10:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.11:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.12:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.13:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.14:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.15:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.16:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.17:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.18:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.19:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.20:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.21:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.22:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.23:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.24:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.25:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.26:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.27:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.29:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.30:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.31:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.32:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.5.33:*:*:*:*:*:*:*" ], "source": "CPE_FIELD", "extracted_events": [ { "introduced": "0" }, { "last_affected": "5.6.0-alpha1" }, { "last_affected": "5.6.0-alpha2" }, { "last_affected": "5.6.0-alpha3" }, { "last_affected": "5.6.0-beta1" }, { "last_affected": "5.6.0-beta2" }, { "last_affected": "5.6.0-beta3" }, { "last_affected": "5.6.0-beta4" }, { "last_affected": "5.6.1" }, { "last_affected": "5.6.2" }, { "last_affected": "5.6.3" }, { "last_affected": "5.6.4" }, { "last_affected": "5.6.5" }, { "last_affected": "5.6.6" }, { "last_affected": "5.6.7" }, { "last_affected": "5.6.8" }, { "last_affected": "5.6.9" }, { "last_affected": "5.6.10" }, { "last_affected": "5.6.11" }, { "last_affected": "5.6.12" }, { "last_affected": "5.6.13" }, { "last_affected": "5.6.14" }, { "last_affected": "5.6.15" }, { "last_affected": "5.6.16" }, { "last_affected": "5.6.17" }, { "last_affected": "5.6.18" }, { "last_affected": "5.6.19" }, { "last_affected": "7.0.0" }, { "last_affected": "7.0.1" }, { "last_affected": "7.0.2" }, { "last_affected": "7.0.3" }, { "last_affected": "7.0.4" }, { "last_affected": "5.5.0" }, { "last_affected": "5.5.0-alpha1" }, { "last_affected": "5.5.0-alpha2" }, { "last_affected": "5.5.0-alpha3" }, { "last_affected": "5.5.0-alpha4" }, { "last_affected": "5.5.0-alpha5" }, { "last_affected": "5.5.0-alpha6" }, { "last_affected": "5.5.0-beta1" }, { "last_affected": "5.5.0-beta2" }, { "last_affected": "5.5.0-beta3" }, { "last_affected": "5.5.0-beta4" }, { "last_affected": "5.5.0-rc1" }, { "last_affected": "5.5.0-rc2" }, { "last_affected": "5.5.1" }, { "last_affected": "5.5.2" }, { "last_affected": "5.5.3" }, { "last_affected": "5.5.4" }, { "last_affected": "5.5.5" }, { "last_affected": "5.5.6" }, { "last_affected": "5.5.7" }, { "last_affected": "5.5.8" }, { "last_affected": "5.5.9" }, { "last_affected": "5.5.10" }, { "last_affected": "5.5.11" }, { "last_affected": "5.5.12" }, { "last_affected": "5.5.13" }, { "last_affected": "5.5.14" }, { "last_affected": "5.5.15" }, { "last_affected": "5.5.16" }, { "last_affected": "5.5.17" }, { "last_affected": "5.5.18" }, { "last_affected": "5.5.19" }, { "last_affected": "5.5.20" }, { "last_affected": "5.5.21" }, { "last_affected": "5.5.22" }, { "last_affected": "5.5.23" }, { "last_affected": "5.5.24" }, { "last_affected": "5.5.25" }, { "last_affected": "5.5.26" }, { "last_affected": "5.5.27" }, { "last_affected": "5.5.29" }, { "last_affected": "5.5.30" }, { "last_affected": "5.5.31" }, { "last_affected": "5.5.32" }, { "last_affected": "5.5.33" } ] }
Affected versions
Other
POST_64BIT_BRANCH_MERGE
POST_AST_MERGE
POST_PHP7_NSAPI_REMOVAL
POST_PHP7_REMOVALS
POST_PHPNG_MERGE
PRE_64BIT_BRANCH_MERGE
PRE_AST_MERGE
PRE_PHP7_EREG_MYSQL_REMOVALS
PRE_PHP7_NSAPI_REMOVAL
PRE_PHP7_REMOVALS
php5_5_0
php-5.*
php-5.5.0RC1
php-5.5.0RC2
php-5.5.0alpha1
php-5.5.0alpha2
php-5.5.0alpha3
php-5.5.0alpha4
php-5.5.0alpha5
php-5.5.0alpha6
php-5.5.0beta1
php-5.5.0beta2
php-5.5.0beta3
php-5.5.0beta4
php-5.5.1
php-5.5.10
php-5.5.10RC1
php-5.5.11
php-5.5.11RC1
php-5.5.12
php-5.5.12RC1
php-5.5.13
php-5.5.13RC1
php-5.5.14
php-5.5.14RC1
php-5.5.15
php-5.5.15RC1
php-5.5.16
php-5.5.16RC1
php-5.5.17
php-5.5.17RC1
php-5.5.18
php-5.5.18RC1
php-5.5.19
php-5.5.19RC1
php-5.5.2
php-5.5.20
php-5.5.20RC1
php-5.5.21
php-5.5.21RC1
php-5.5.22
php-5.5.22RC1
php-5.5.23
php-5.5.23RC1
php-5.5.24
php-5.5.24RC1
php-5.5.25
php-5.5.25RC1
php-5.5.26
php-5.5.26RC1
php-5.5.27
php-5.5.27RC1
php-5.5.29
php-5.5.3
php-5.5.30
php-5.5.31
php-5.5.32
php-5.5.33
php-5.5.4
php-5.5.5
php-5.5.6
php-5.5.7
php-5.5.7RC1
php-5.5.8
php-5.5.8RC1
php-5.5.9
php-5.5.9RC1
php-5.6.0alpha1
php-5.6.0alpha2
php-5.6.0alpha3
php-5.6.0beta1
php-5.6.0beta2
php-5.6.0beta3
php-5.6.0beta4
php-5.6.1
php-5.6.10
php-5.6.10RC1
php-5.6.11
php-5.6.11RC1
php-5.6.12
php-5.6.12RC1
php-5.6.13
php-5.6.13RC1
php-5.6.14
php-5.6.14RC1
php-5.6.15
php-5.6.15RC1
php-5.6.16
php-5.6.16RC1
php-5.6.17
php-5.6.17RC1
php-5.6.18
php-5.6.19
php-5.6.19RC1
php-5.6.1RC1
php-5.6.2
php-5.6.3
php-5.6.3RC1
php-5.6.4
php-5.6.4RC1
php-5.6.5
php-5.6.5RC1
php-5.6.6
php-5.6.6RC1
php-5.6.7
php-5.6.7RC1
php-5.6.8
php-5.6.8RC1
php-5.6.9
php-5.6.9RC1
php-7.*
php-7.0.0
php-7.0.0RC1
php-7.0.0RC2
php-7.0.0RC3
php-7.0.0RC4
php-7.0.0RC5
php-7.0.0RC6
php-7.0.0RC7
php-7.0.0RC8
php-7.0.0alpha1
php-7.0.0alpha2
php-7.0.0beta1
php-7.0.0beta2
php-7.0.0beta3
php-7.0.1
php-7.0.1RC1
php-7.0.2
php-7.0.2RC1
php-7.0.3
php-7.0.4
php-7.0.4RC1