CVE-2010-2094

Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.3.2

Description The issue allows context-dependent attackers to obtain sensitive information, such as memory contents, and possibly execute arbitrary code via a crafted phar:// URI. This is due to multiple format string vulnerabilities in the phar extension, which are not properly handled by certain functions, including (1) phar stream flush, (2) phar wrapper unlink, (3) phar parse url, (4) phar wrapper open url, and (5) phar wrapper open dir. These functions trigger errors in the php stream wrapper log error function.

Recommendations For PHP versions prior to 5.3.2, update to version 5.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the phar extension until a patch is applied. Avoid using crafted phar:// URIs in the affected API endpoints until the issue is resolved.