VDB
CVE-2012-2336
CVE-2012-2336
PUBLISHED
Reported by redhat · Published May 11, 2012
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
| n/a | n/a | n/a |
Timeline
- Dec 29, 2011 PoC Published
- May 4, 2012 CVE Published
- Feb 4, 2022 EPSS Score
- Feb 13, 2023 EPSS Score
- Nov 8, 2023 EPSS Score
- Feb 8, 2024 EPSS Score
- Mar 17, 2025 EPSS Score
- Mar 22, 2025 EPSS Score
- Mar 26, 2025 EPSS Score
- Mar 29, 2025 EPSS Score
- Apr 1, 2025 EPSS Score
- Apr 15, 2025 EPSS Score
References
- SUSE-SU-2012:0721 vendor-advisoryx_refsource_SUSE
- SUSE-SU-2012:0840 vendor-advisoryx_refsource_SUSE
- x_refsource_CONFIRM
- 49014 third-party-advisoryx_refsource_SECUNIA
- x_refsource_CONFIRM
- x_refsource_CONFIRM
- SSRT100992 vendor-advisoryx_refsource_HP
- x_refsource_CONFIRM