CVE-2009-1271

The JSON_parser function (ext/json/JSON_parser.c) in PHP 5.2.x before 5.2.9 allows remote attackers to cause a denial of service (segmentation fault) via a malformed string to the json_decode API function.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://cvs.php.net/viewvc.cgi/php-src/ext/json/JSON_parser.c?r1=1.1.2.14&r2=1.1.2.15
http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html
http://secunia.com/advisories/34770
http://secunia.com/advisories/34830
http://secunia.com/advisories/34933
http://secunia.com/advisories/35003
http://secunia.com/advisories/35007
http://secunia.com/advisories/35306
http://secunia.com/advisories/35685
http://secunia.com/advisories/36701
http://support.apple.com/kb/HT3865
http://www.debian.org/security/2009/dsa-1775
http://www.debian.org/security/2009/dsa-1789
http://www.mandriva.com/security/advisories?name=MDVSA-2009:090
http://www.openwall.com/lists/oss-security/2009/04/01/9
http://www.php.net/releases/5_2_9.php	Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2009-0350.html
http://www.ubuntu.com/usn/USN-761-2
https://usn.ubuntu.com/761-1/
https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01451.html
https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01465.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:php:php:5.2.0:::::::*
	cpe:2.3:a:php:php:5.2.1:::::::*
	cpe:2.3:a:php:php:5.2.2:::::::*
	cpe:2.3:a:php:php:5.2.3:::::::*
	cpe:2.3:a:php:php:5.2.4:::::::*
	cpe:2.3:a:php:php:5.2.4::windows:::::
	cpe:2.3:a:php:php:5.2.5:::::::*
	cpe:2.3:a:php:php:5.2.6:::::::*
	cpe:2.3:a:php:php:5.2.7:::::::*
	cpe:2.3:a:php:php:5.2.8:::::::*

History

No history.

Information

Published : 2009-04-08 18:30

Updated : 2018-10-03 21:59

NVD link : CVE-2009-1271

Mitre link : CVE-2009-1271

CVE.ORG link : CVE-2009-1271

JSON object : View

Products Affected

php

php

CWE

NVD-CWE-Other

{"id": "CVE-2009-1271", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2009-04-08T18:30:00.187", "references": [{"url": "http://cvs.php.net/viewvc.cgi/php-src/ext/json/JSON_parser.c?r1=1.1.2.14&r2=1.1.2.15", "source": "cve@mitre.org"}, {"url": "http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html", "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/34770", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/34830", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/34933", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/35003", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/35007", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/35306", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/35685", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/36701", "source": "cve@mitre.org"}, {"url": "http://support.apple.com/kb/HT3865", "source": "cve@mitre.org"}, {"url": "http://www.debian.org/security/2009/dsa-1775", "source": "cve@mitre.org"}, {"url": "http://www.debian.org/security/2009/dsa-1789", "source": "cve@mitre.org"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:090", "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2009/04/01/9", "source": "cve@mitre.org"}, {"url": "http://www.php.net/releases/5_2_9.php", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.redhat.com/support/errata/RHSA-2009-0350.html", "source": "cve@mitre.org"}, {"url": "http://www.ubuntu.com/usn/USN-761-2", "source": "cve@mitre.org"}, {"url": "https://usn.ubuntu.com/761-1/", "source": "cve@mitre.org"}, {"url": "https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01451.html", "source": "cve@mitre.org"}, {"url": "https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01465.html", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "The JSON_parser function (ext/json/JSON_parser.c) in PHP 5.2.x before 5.2.9 allows remote attackers to cause a denial of service (segmentation fault) via a malformed string to the json_decode API function."}, {"lang": "es", "value": "La funci\u00f3n JSON_parser (ext/json/JSON_parser.c) en PHP v5.2.x anteriores a v5.2.9 permite a atacantes remotos provocar una denegaci\u00f3n de servicio (falta de segmentaci\u00f3n) a trav\u00e9s de una cadena formada de forma incorrecta a la funci\u00f3n API json_decode.\r\n"}], "lastModified": "2018-10-03T21:59:19.900", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:php:php:5.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CD02D837-FD28-4E0F-93F8-25E8D1C84A99"}, {"criteria": "cpe:2.3:a:php:php:5.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "88358D1E-BE6F-4CE3-A522-83D1FA4739E3"}, {"criteria": "cpe:2.3:a:php:php:5.2.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D8B97B03-7DA7-4A5F-89B4-E78CAB20DE17"}, {"criteria": "cpe:2.3:a:php:php:5.2.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86767200-6C9C-4C3E-B111-0E5BE61E197B"}, {"criteria": "cpe:2.3:a:php:php:5.2.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B00B416D-FF23-4C76-8751-26D305F0FA0F"}, {"criteria": "cpe:2.3:a:php:php:5.2.4:*:windows:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F526115E-A68E-4B10-AA6A-9CD26CB81AF3"}, {"criteria": "cpe:2.3:a:php:php:5.2.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CCB6CDDD-70D3-4004-BCE0-8C4723076103"}, {"criteria": "cpe:2.3:a:php:php:5.2.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A782CA26-9C38-40A8-92AE-D47B14D2FCE3"}, {"criteria": "cpe:2.3:a:php:php:5.2.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C0E7E2A-4770-4B68-B74C-5F5A6E1876DC"}, {"criteria": "cpe:2.3:a:php:php:5.2.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0892C89E-9389-4452-B7E0-981A763CD426"}], "operator": "OR"}]}], "vendorComments": [{"comment": "This issue did not affect PHP versions as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5, and Red Hat Application Stack v1. PHP version in Red Hat Application Stack v2 was fixed via: https://rhn.redhat.com/errata/RHSA-2009-0350.html", "lastModified": "2009-04-15T00:00:00", "organization": "Red Hat"}], "sourceIdentifier": "cve@mitre.org"}