NVD

NOTICE UPDATE

NIST has updated the NVD program announcement page with additional information regarding recent concerns and the temporary delays in enrichment efforts.

CVE-2009-4017 Detail

Description

PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.

Severity

CVSS 3.x Severity and Metrics:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: NVD Analysts have not published a CVSS score for this CVE at this time. NVD Analysts use publicly available information at the time of analysis to associate CVSS vector strings.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html	Mailing List
http://marc.info/?l=bugtraq&m=127680701405735&w=2	Third Party Advisory
http://news.php.net/php.announce/79	Mailing List Release Notes
http://seclists.org/fulldisclosure/2009/Nov/228	Mailing List Third Party Advisory
http://support.apple.com/kb/HT4077	Third Party Advisory
http://www.acunetix.com/blog/websecuritynews/php-multipartform-data-denial-of-service/	Third Party Advisory
http://www.debian.org/security/2009/dsa-1940	Mailing List Third Party Advisory
http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995	Broken Link
http://www.mandriva.com/security/advisories?name=MDVSA-2009:303	Broken Link
http://www.mandriva.com/security/advisories?name=MDVSA-2009:305	Broken Link
http://www.openwall.com/lists/oss-security/2009/11/20/2	Mailing List Patch
http://www.openwall.com/lists/oss-security/2009/11/20/7	Mailing List
http://www.php.net/ChangeLog-5.php	Release Notes Vendor Advisory
http://www.php.net/releases/5_2_12.php	Release Notes
http://www.php.net/releases/5_3_1.php	Release Notes Vendor Advisory
http://www.securityfocus.com/archive/1/507982/100/0/threaded	Broken Link Third Party Advisory VDB Entry
http://www.vupen.com/english/advisories/2009/3593	Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/54455	Third Party Advisory VDB Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10483	Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6667	Broken Link

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-770	Allocation of Resources Without Limits or Throttling	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

5 change records found show changes

Modified Analysis by NIST 2/15/2024 4:16:16 PM

Action	Type	Old Value	New Value
Added	CPE Configuration		OR cpe:2.3:o:apple:mac_os_x:10.6.3::::::: cpe:2.3:o:debian:debian_linux:4.0::::::: cpe:2.3:o:debian:debian_linux:5.0::::::: cpe:2.3:o:debian:debian_linux:6.0:::::::
Changed	CPE Configuration	OR cpe:2.3:a:php:php:5.2.11::::::: cpe:2.3:a:php:php:5.3.0:::::::	OR cpe:2.3:a:php:php::::::::* versions up to (excluding) 5.2.12 cpe:2.3:a:php:php:5.3.0:-::::::* cpe:2.3:a:php:php:5.3.0:alpha1::::::* cpe:2.3:a:php:php:5.3.0:alpha2::::::* cpe:2.3:a:php:php:5.3.0:alpha3::::::* cpe:2.3:a:php:php:5.3.0:beta1::::::* cpe:2.3:a:php:php:5.3.0:rc1::::::* cpe:2.3:a:php:php:5.3.0:rc2::::::* cpe:2.3:a:php:php:5.3.0:rc3::::::* cpe:2.3:a:php:php:5.3.0:rc4::::::*
Added	CWE		NIST CWE-770
Removed	CWE	NIST NVD-CWE-Other
Changed	Reference Type	http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html No Types Assigned	http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html Mailing List
Changed	Reference Type	http://marc.info/?l=bugtraq&m=127680701405735&w=2 No Types Assigned	http://marc.info/?l=bugtraq&m=127680701405735&w=2 Third Party Advisory
Changed	Reference Type	http://news.php.net/php.announce/79 No Types Assigned	http://news.php.net/php.announce/79 Mailing List, Release Notes
Changed	Reference Type	http://seclists.org/fulldisclosure/2009/Nov/228 No Types Assigned	http://seclists.org/fulldisclosure/2009/Nov/228 Mailing List, Third Party Advisory
Changed	Reference Type	http://secunia.com/advisories/37482 No Types Assigned	http://secunia.com/advisories/37482 Broken Link
Changed	Reference Type	http://secunia.com/advisories/37821 No Types Assigned	http://secunia.com/advisories/37821 Broken Link
Changed	Reference Type	http://secunia.com/advisories/40262 No Types Assigned	http://secunia.com/advisories/40262 Broken Link
Changed	Reference Type	http://secunia.com/advisories/41480 No Types Assigned	http://secunia.com/advisories/41480 Broken Link
Changed	Reference Type	http://secunia.com/advisories/41490 No Types Assigned	http://secunia.com/advisories/41490 Broken Link
Changed	Reference Type	http://support.apple.com/kb/HT4077 No Types Assigned	http://support.apple.com/kb/HT4077 Third Party Advisory
Changed	Reference Type	http://www.acunetix.com/blog/websecuritynews/php-multipartform-data-denial-of-service/ No Types Assigned	http://www.acunetix.com/blog/websecuritynews/php-multipartform-data-denial-of-service/ Third Party Advisory
Changed	Reference Type	http://www.debian.org/security/2009/dsa-1940 No Types Assigned	http://www.debian.org/security/2009/dsa-1940 Mailing List, Third Party Advisory
Changed	Reference Type	http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995 No Types Assigned	http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995 Broken Link
Changed	Reference Type	http://www.mandriva.com/security/advisories?name=MDVSA-2009:303 No Types Assigned	http://www.mandriva.com/security/advisories?name=MDVSA-2009:303 Broken Link
Changed	Reference Type	http://www.mandriva.com/security/advisories?name=MDVSA-2009:305 No Types Assigned	http://www.mandriva.com/security/advisories?name=MDVSA-2009:305 Broken Link
Changed	Reference Type	http://www.openwall.com/lists/oss-security/2009/11/20/2 Patch	http://www.openwall.com/lists/oss-security/2009/11/20/2 Mailing List, Patch
Changed	Reference Type	http://www.openwall.com/lists/oss-security/2009/11/20/7 No Types Assigned	http://www.openwall.com/lists/oss-security/2009/11/20/7 Mailing List
Changed	Reference Type	http://www.php.net/ChangeLog-5.php Patch, Vendor Advisory	http://www.php.net/ChangeLog-5.php Release Notes, Vendor Advisory
Changed	Reference Type	http://www.php.net/releases/5_2_12.php No Types Assigned	http://www.php.net/releases/5_2_12.php Release Notes
Changed	Reference Type	http://www.php.net/releases/5_3_1.php Patch, Vendor Advisory	http://www.php.net/releases/5_3_1.php Release Notes, Vendor Advisory
Changed	Reference Type	http://www.securityfocus.com/archive/1/507982/100/0/threaded No Types Assigned	http://www.securityfocus.com/archive/1/507982/100/0/threaded Broken Link, Third Party Advisory, VDB Entry
Changed	Reference Type	http://www.vupen.com/english/advisories/2009/3593 No Types Assigned	http://www.vupen.com/english/advisories/2009/3593 Broken Link
Changed	Reference Type	https://exchange.xforce.ibmcloud.com/vulnerabilities/54455 No Types Assigned	https://exchange.xforce.ibmcloud.com/vulnerabilities/54455 Third Party Advisory, VDB Entry
Changed	Reference Type	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10483 No Types Assigned	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10483 Broken Link
Changed	Reference Type	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6667 No Types Assigned	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6667 Broken Link

Quick Info

CVE Dictionary Entry:
CVE-2009-4017
NVD Published Date:
11/23/2009
NVD Last Modified:
02/15/2024
Source:
Red Hat, Inc.

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2009-4017 Detail

Description

Severity

References to Advisories, Solutions, and Tools

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

Modified Analysis by NIST 2/15/2024 4:16:16 PM

CVE Modified by Red Hat, Inc. 10/10/2018 3:48:06 PM

CVE Modified by Red Hat, Inc. 9/18/2017 9:29:53 PM

CVE Modified by Red Hat, Inc. 8/16/2017 9:31:23 PM

Initial CVE Analysis 11/24/2009 8:55:00 AM

Quick Info