CVE-2007-3294

Multiple buffer overflows in libtidy, as used in the Tidy extension for PHP 5.2.3 and possibly other products, allow context-dependent attackers to execute arbitrary code via (1) a long second argument to the tidy_parse_string function or (2) an unspecified vector to the tidy_repair_string function. NOTE: this might only be an issue in environments where vsnprintf is implemented as a wrapper for vsprintf.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://osvdb.org/36853
http://secunia.com/advisories/25735	Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/34931
https://www.exploit-db.com/exploits/4080

Configurations

Configuration 1 (hide)

cpe:2.3:a:php:php:5.2.3:*:*:*:*:*:*:*

History

No history.

Information

Published : 2007-06-20 21:30

Updated : 2023-12-10 10:40

NVD link : CVE-2007-3294

Mitre link : CVE-2007-3294

CVE.ORG link : CVE-2007-3294

JSON object : View

Products Affected

php

php

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

{"id": "CVE-2007-3294", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}]}, "published": "2007-06-20T21:30:00.000", "references": [{"url": "http://osvdb.org/36853", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/25735", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34931", "source": "cve@mitre.org"}, {"url": "https://www.exploit-db.com/exploits/4080", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-119"}]}], "descriptions": [{"lang": "en", "value": "Multiple buffer overflows in libtidy, as used in the Tidy extension for PHP 5.2.3 and possibly other products, allow context-dependent attackers to execute arbitrary code via (1) a long second argument to the tidy_parse_string function or (2) an unspecified vector to the tidy_repair_string function. NOTE: this might only be an issue in environments where vsnprintf is implemented as a wrapper for vsprintf."}, {"lang": "es", "value": "M\u00faltiples desbordamientos de b\u00fafer en libtidy, como es usado en la extensi\u00f3n Tidy para PHP versi\u00f3n 5.2.3 y posiblemente otros productos, permiten a atacantes dependiendo del contexto ejecutar c\u00f3digo arbitrario por medio de (1) un segundo argumento largo en la funci\u00f3n tidy_parse_string o (2) un vector no especificado en la funci\u00f3n tidy_repair_string. NOTA: esto solo puede ser un problema en entornos donde vsnprintf se implementa como un contenedor para vsprintf."}], "lastModified": "2017-10-11T01:32:44.613", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:php:php:5.2.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86767200-6C9C-4C3E-B111-0E5BE61E197B"}], "operator": "OR"}]}], "vendorComments": [{"comment": "Not vulnerable. PHP is not complied with the tidy library as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, or Red Hat Application Stack v1 or v2.", "lastModified": "2007-09-28T00:00:00", "organization": "Red Hat"}], "sourceIdentifier": "cve@mitre.org"}