Alpine: php: security update to 5.3.10-r5 (deprecated)

critical Tenable Cloud Security Plugin ID 401293

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-
cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote
attackers to execute arbitrary code by placing command-line options in the query string, related to lack
of skipping a certain php_getopt for the 'd' case. (CVE-2012-1823)

See Also

https://git.alpinelinux.org/aports/commit/?id=278c49ce5052b39cd9c7832222756bad681c14bf

https://git.alpinelinux.org/aports/commit/?id=ef73ee2da84cecb091cdfd5267e645a7cb0aa517

Plugin Details

Severity: Critical

ID: 401293

Version: Revision 1.38

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

Percentile: 99.76

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2012-1823

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/7/2012

Vulnerability Publication Date: 5/4/2012

CISA Known Exploited Vulnerability Due Dates: 4/15/2022

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (PHP CGI Argument Injection)

Reference Information

CVE: CVE-2012-1823

BID: 53388

IAVB: 2012-B-0054-S