CVE-2016-3171: Code Injection
First published: Mon Feb 15 2016(Updated: )
Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/drupal/core | >=8.0<8.0.4 | |
| composer/drupal/drupal | >=8.0<8.0.4 | |
| composer/drupal/drupal | >=6.0<6.38 | 6.38 |
| composer/drupal/core | >=6.0<6.38 | 6.38 |
| All of | ||
| Any of | ||
| PHP | <=5.4.44 | |
| PHP | =5.5.0 | |
| PHP | =5.5.0-alpha1 | |
| PHP | =5.5.0-alpha2 | |
| PHP | =5.5.0-alpha3 | |
| PHP | =5.5.0-alpha4 | |
| PHP | =5.5.0-alpha5 | |
| PHP | =5.5.0-alpha6 | |
| PHP | =5.5.0-beta1 | |
| PHP | =5.5.0-beta2 | |
| PHP | =5.5.0-beta3 | |
| PHP | =5.5.0-beta4 | |
| PHP | =5.5.0-rc1 | |
| PHP | =5.5.0-rc2 | |
| PHP | =5.5.1 | |
| PHP | =5.5.2 | |
| PHP | =5.5.10 | |
| PHP | =5.5.11 | |
| PHP | =5.5.12 | |
| PHP | =5.5.13 | |
| PHP | =5.5.14 | |
| PHP | =5.5.18 | |
| PHP | =5.5.19 | |
| PHP | =5.5.20 | |
| PHP | =5.5.21 | |
| PHP | =5.5.22 | |
| PHP | =5.5.23 | |
| PHP | =5.5.24 | |
| PHP | =5.5.25 | |
| PHP | =5.5.26 | |
| PHP | =5.5.27 | |
| PHP | =5.5.28 | |
| PHP | =5.6.0-alpha1 | |
| PHP | =5.6.0-alpha2 | |
| PHP | =5.6.0-alpha3 | |
| PHP | =5.6.0-alpha4 | |
| PHP | =5.6.0-alpha5 | |
| PHP | =5.6.0-beta1 | |
| PHP | =5.6.0-beta2 | |
| PHP | =5.6.0-beta3 | |
| PHP | =5.6.0-beta4 | |
| PHP | =5.6.1 | |
| PHP | =5.6.2 | |
| PHP | =5.6.3 | |
| PHP | =5.6.4 | |
| PHP | =5.6.5 | |
| PHP | =5.6.6 | |
| PHP | =5.6.7 | |
| PHP | =5.6.8 | |
| PHP | =5.6.9 | |
| PHP | =5.6.10 | |
| PHP | =5.6.11 | |
| PHP | =5.6.12 | |
| Any of | ||
| Drupal | =6.0 | |
| Drupal | =6.0-beta1 | |
| Drupal | =6.0-beta2 | |
| Drupal | =6.0-beta3 | |
| Drupal | =6.0-beta4 | |
| Drupal | =6.0-dev | |
| Drupal | =6.0-rc1 | |
| Drupal | =6.0-rc2 | |
| Drupal | =6.0-rc3 | |
| Drupal | =6.0-rc4 | |
| Drupal | =6.1 | |
| Drupal | =6.2 | |
| Drupal | =6.3 | |
| Drupal | =6.4 | |
| Drupal | =6.5 | |
| Drupal | =6.6 | |
| Drupal | =6.7 | |
| Drupal | =6.8 | |
| Drupal | =6.9 | |
| Drupal | =6.10 | |
| Drupal | =6.11 | |
| Drupal | =6.12 | |
| Drupal | =6.13 | |
| Drupal | =6.14 | |
| Drupal | =6.15 | |
| Drupal | =6.16 | |
| Drupal | =6.17 | |
| Drupal | =6.18 | |
| Drupal | =6.19 | |
| Drupal | =6.20 | |
| Drupal | =6.21 | |
| Drupal | =6.22 | |
| Drupal | =6.23 | |
| Drupal | =6.24 | |
| Drupal | =6.25 | |
| Drupal | =6.26 | |
| Drupal | =6.27 | |
| Drupal | =6.28 | |
| Drupal | =6.29 | |
| Drupal | =6.30 | |
| Drupal | =6.31 | |
| Drupal | =6.32 | |
| Drupal | =6.33 | |
| Drupal | =6.34 | |
| Drupal | =6.35 | |
| Drupal | =6.36 | |
| Drupal | =6.37 | |
| Debian Linux | =7.0 | |
| Debian Linux | =8.0 | |
| PHP | <=5.4.44 | |
| PHP | =5.5.0 | |
| PHP | =5.5.0-alpha1 | |
| PHP | =5.5.0-alpha2 | |
| PHP | =5.5.0-alpha3 | |
| PHP | =5.5.0-alpha4 | |
| PHP | =5.5.0-alpha5 | |
| PHP | =5.5.0-alpha6 | |
| PHP | =5.5.0-beta1 | |
| PHP | =5.5.0-beta2 | |
| PHP | =5.5.0-beta3 | |
| PHP | =5.5.0-beta4 | |
| PHP | =5.5.0-rc1 | |
| PHP | =5.5.0-rc2 | |
| PHP | =5.5.1 | |
| PHP | =5.5.2 | |
| PHP | =5.5.10 | |
| PHP | =5.5.11 | |
| PHP | =5.5.12 | |
| PHP | =5.5.13 | |
| PHP | =5.5.14 | |
| PHP | =5.5.18 | |
| PHP | =5.5.19 | |
| PHP | =5.5.20 | |
| PHP | =5.5.21 | |
| PHP | =5.5.22 | |
| PHP | =5.5.23 | |
| PHP | =5.5.24 | |
| PHP | =5.5.25 | |
| PHP | =5.5.26 | |
| PHP | =5.5.27 | |
| PHP | =5.5.28 | |
| PHP | =5.6.0-alpha1 | |
| PHP | =5.6.0-alpha2 | |
| PHP | =5.6.0-alpha3 | |
| PHP | =5.6.0-alpha4 | |
| PHP | =5.6.0-alpha5 | |
| PHP | =5.6.0-beta1 | |
| PHP | =5.6.0-beta2 | |
| PHP | =5.6.0-beta3 | |
| PHP | =5.6.0-beta4 | |
| PHP | =5.6.1 | |
| PHP | =5.6.2 | |
| PHP | =5.6.3 | |
| PHP | =5.6.4 | |
| PHP | =5.6.5 | |
| PHP | =5.6.6 | |
| PHP | =5.6.7 | |
| PHP | =5.6.8 | |
| PHP | =5.6.9 | |
| PHP | =5.6.10 | |
| PHP | =5.6.11 | |
| PHP | =5.6.12 | |
| Drupal | =6.0 | |
| Drupal | =6.0-beta1 | |
| Drupal | =6.0-beta2 | |
| Drupal | =6.0-beta3 | |
| Drupal | =6.0-beta4 | |
| Drupal | =6.0-dev | |
| Drupal | =6.0-rc1 | |
| Drupal | =6.0-rc2 | |
| Drupal | =6.0-rc3 | |
| Drupal | =6.0-rc4 | |
| Drupal | =6.1 | |
| Drupal | =6.2 | |
| Drupal | =6.3 | |
| Drupal | =6.4 | |
| Drupal | =6.5 | |
| Drupal | =6.6 | |
| Drupal | =6.7 | |
| Drupal | =6.8 | |
| Drupal | =6.9 | |
| Drupal | =6.10 | |
| Drupal | =6.11 | |
| Drupal | =6.12 | |
| Drupal | =6.13 | |
| Drupal | =6.14 | |
| Drupal | =6.15 | |
| Drupal | =6.16 | |
| Drupal | =6.17 | |
| Drupal | =6.18 | |
| Drupal | =6.19 | |
| Drupal | =6.20 | |
| Drupal | =6.21 | |
| Drupal | =6.22 | |
| Drupal | =6.23 | |
| Drupal | =6.24 | |
| Drupal | =6.25 | |
| Drupal | =6.26 | |
| Drupal | =6.27 | |
| Drupal | =6.28 | |
| Drupal | =6.29 | |
| Drupal | =6.30 | |
| Drupal | =6.31 | |
| Drupal | =6.32 | |
| Drupal | =6.33 | |
| Drupal | =6.34 | |
| Drupal | =6.35 | |
| Drupal | =6.36 | |
| Drupal | =6.37 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.drupal.org/SA-CORE-2016-001
- http://www.debian.org/security/2016/dsa-3498
- http://www.openwall.com/lists/oss-security/2016/02/24/19
- http://www.openwall.com/lists/oss-security/2016/03/15/10
- https://nvd.nist.gov/vuln/detail/CVE-2016-3171
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2016-3171.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2016-3171.yaml
- https://github.com/advisories/GHSA-69g8-g9jq-74v7 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2016-3171?
CVE-2016-3171 has been classified with Medium severity.
How do I fix CVE-2016-3171?
To fix CVE-2016-3171, upgrade to Drupal 6.38 or later.
What are the affected versions for CVE-2016-3171?
CVE-2016-3171 affects Drupal versions prior to 6.38 when used with certain versions of PHP.
Can CVE-2016-3171 lead to remote code execution?
Yes, CVE-2016-3171 allows remote attackers to execute arbitrary code through session data truncation.
Is my PHP version related to CVE-2016-3171?
Yes, CVE-2016-3171 is particularly relevant for environments running PHP versions earlier than 5.4.45, 5.5.29, or 5.6.13.
- collector/friends-of-php
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-69g8-g9jq-74v7
- alias/CVE-2016-3171
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- agent/description
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- package-manager/composer
- vendor/php
- canonical/php
- version/php/5.4.44
- version/php/5.5.0
- version/php/5.5.0-alpha1
- version/php/5.5.0-alpha2
- version/php/5.5.0-alpha3
- version/php/5.5.0-alpha4
- version/php/5.5.0-alpha5
- version/php/5.5.0-alpha6
- version/php/5.5.0-beta1
- version/php/5.5.0-beta2
- version/php/5.5.0-beta3
- version/php/5.5.0-beta4
- version/php/5.5.0-rc1
- version/php/5.5.0-rc2
- version/php/5.5.1
- version/php/5.5.2
- version/php/5.5.10
- version/php/5.5.11
- version/php/5.5.12
- version/php/5.5.13
- version/php/5.5.14
- version/php/5.5.18
- version/php/5.5.19
- version/php/5.5.20
- version/php/5.5.21
- version/php/5.5.22
- version/php/5.5.23
- version/php/5.5.24
- version/php/5.5.25
- version/php/5.5.26
- version/php/5.5.27
- version/php/5.5.28
- version/php/5.6.0-alpha1
- version/php/5.6.0-alpha2
- version/php/5.6.0-alpha3
- version/php/5.6.0-alpha4
- version/php/5.6.0-alpha5
- version/php/5.6.0-beta1
- version/php/5.6.0-beta2
- version/php/5.6.0-beta3
- version/php/5.6.0-beta4
- version/php/5.6.1
- version/php/5.6.2
- version/php/5.6.3
- version/php/5.6.4
- version/php/5.6.5
- version/php/5.6.6
- version/php/5.6.7
- version/php/5.6.8
- version/php/5.6.9
- version/php/5.6.10
- version/php/5.6.11
- version/php/5.6.12
- vendor/drupal
- canonical/drupal
- version/drupal/6.0
- version/drupal/6.0-beta1
- version/drupal/6.0-beta2
- version/drupal/6.0-beta3
- version/drupal/6.0-beta4
- version/drupal/6.0-dev
- version/drupal/6.0-rc1
- version/drupal/6.0-rc2
- version/drupal/6.0-rc3
- version/drupal/6.0-rc4
- version/drupal/6.1
- version/drupal/6.2
- version/drupal/6.3
- version/drupal/6.4
- version/drupal/6.5
- version/drupal/6.6
- version/drupal/6.7
- version/drupal/6.8
- version/drupal/6.9
- version/drupal/6.10
- version/drupal/6.11
- version/drupal/6.12
- version/drupal/6.13
- version/drupal/6.14
- version/drupal/6.15
- version/drupal/6.16
- version/drupal/6.17
- version/drupal/6.18
- version/drupal/6.19
- version/drupal/6.20
- version/drupal/6.21
- version/drupal/6.22
- version/drupal/6.23
- version/drupal/6.24
- version/drupal/6.25
- version/drupal/6.26
- version/drupal/6.27
- version/drupal/6.28
- version/drupal/6.29
- version/drupal/6.30
- version/drupal/6.31
- version/drupal/6.32
- version/drupal/6.33
- version/drupal/6.34
- version/drupal/6.35
- version/drupal/6.36
- version/drupal/6.37
- vendor/debian
- canonical/debian linux
- version/debian linux/7.0
- version/debian linux/8.0