Improper Input Validation Affecting php-embedded package, versions <0:5.3.3-22.el6


Severity

Recommended
0.0
medium
0
10

Based on CentOS security rating.

Threat Intelligence

EPSS
1.4% (87th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Input Validation vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-CENTOS6-PHPEMBEDDED-2071361
  • published26 Jul 2021
  • disclosed6 Nov 2011

Introduced: 6 Nov 2011

CVE-2011-1398  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade Centos:6 php-embedded to version 0:5.3.3-22.el6 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream php-embedded package and not the php-embedded package as distributed by Centos. See How to fix? for Centos:6 relevant fixed versions and status.

The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome.

CVSS Scores

version 3.1