CVE-2009-4023

HIGH
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Argument injection vulnerability in the sendmail implementation of the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14 for PEAR allows remote attackers to read and write arbitrary files via a crafted $from parameter, a different vector than CVE-2009-4111.

References

http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html

http://pear.php.net/bugs/bug.php?id=16200

http://pear.php.net/bugs/bug.php?id=16200&edit=12&patch=quick-fix&revision=1241757412

http://secunia.com/advisories/37410

http://secunia.com/advisories/37458

http://svn.php.net/viewvc/pear/packages/Mail/trunk/Mail/sendmail.php?r1=243717&r2=280134

http://www.debian.org/security/2009/dsa-1938

http://www.openwall.com/lists/oss-security/2009/11/23/8

http://www.securityfocus.com/bid/37081

http://www.vupen.com/english/advisories/2009/3300

https://bugs.gentoo.org/show_bug.cgi?id=294256

https://exchange.xforce.ibmcloud.com/vulnerabilities/54362

Details

Source: MITRE

Published: 2009-11-29

Updated: 2017-08-17

Type: CWE-94

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:pear:pear:1.1.14:*:*:*:*:*:*:*

Tenable Plugins

View all (6 total)

IDNameProductFamilySeverity
79962GLSA-201412-09 : Multiple packages, Multiple vulnerabilities fixed in 2011NessusGentoo Local Security Checks
critical
50369openSUSE Security Update : php5-pear-mail (openSUSE-SU-2010:0909-1)NessusSuSE Local Security Checks
high
44303Mandriva Linux Security Advisory : php-pear-Mail (MDVSA-2010:025)NessusMandriva Local Security Checks
high
42940Fedora 10 : php-pear-Mail-1.1.14-5.fc10 (2009-12439)NessusFedora Local Security Checks
high
42939Fedora 12 : php-pear-Mail-1.1.14-5.fc12 (2009-12395)NessusFedora Local Security Checks
high
42937Fedora 11 : php-pear-Mail-1.1.14-5.fc11 (2009-12348)NessusFedora Local Security Checks
high