High severity7.5NVD Advisory· Published Feb 9, 2018· Updated Jun 17, 2026
CVE-2016-10712
CVE-2016-10712
Description
In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of stream_get_meta_data can be controlled if the input can be controlled (e.g., during file uploads). For example, a "$uri = stream_get_meta_data(fopen($file, "r"))['uri']" call mishandles the case where $file is data:text/plain;uri=eviluri, -- in other words, metadata can be set by an attacker.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
11- osv-coords9 versionspkg:rpm/suse/php53&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/php53&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSSpkg:rpm/suse/php53&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-TERADATApkg:rpm/suse/php53&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/php53&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/php53&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3
< 5.3.17-112.20.1+ 8 more
- (no CPE)range: < 5.3.17-112.20.1
- (no CPE)range: < 5.3.17-112.20.1
- (no CPE)range: < 5.3.17-112.20.1
- (no CPE)range: < 5.3.17-112.20.1
- (no CPE)range: < 5.3.17-112.20.1
- (no CPE)range: < 5.3.17-112.20.1
- (no CPE)range: < 5.5.14-109.20.1
- (no CPE)range: < 5.5.14-109.20.1
- (no CPE)range: < 5.5.14-109.20.1
Patches
Vulnerability mechanics
References
4- bugs.php.net/bug.phpnvdExploitIssue TrackingPatchVendor Advisory
- usn.ubuntu.com/3600-1/nvdThird Party Advisory
- git.php.netnvd
- usn.ubuntu.com/3566-2/nvd
News mentions
0No linked articles in our index yet.