CVE-2016-5773

Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.5.37 PHP versions 5.6.x prior to 5.6.23 PHP versions 7.x prior to 7.0.8

Description The issue is related to the improper interaction between the php zip.c component in the PHP zip extension and the unserialize implementation and garbage collection. This allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object. The vulnerability is related to the use of memory after it has been freed, which can be exploited by an attacker to execute arbitrary PHP code or cause a denial of service.

Recommendations For PHP versions prior to 5.5.37, update to version 5.5.37 or later. For PHP versions 5.6.x prior to 5.6.23, update to version 5.6.23 or later. For PHP versions 7.x prior to 7.0.8, update to version 7.0.8 or later. As a temporary workaround, consider disabling the ZipArchive object in serialized data to minimize the risk of exploitation.