7.5
CVE-2014-3515
- EPSS 30.13%
- Veröffentlicht 09.07.2014 11:07:01
- Zuletzt bearbeitet 06.05.2026 22:30:45
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Debian ≫ Debian Linux Version7.0
Debian ≫ Debian Linux Version8.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 30.13% | 0.98 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
http://www.php.net/ChangeLog-5.php
http://rhn.redhat.com/errata/RHSA-2014-1765.html
http://support.apple.com/kb/HT6443
http://marc.info/?l=bugtraq&m=141017844705317&w=2
http://rhn.redhat.com/errata/RHSA-2014-1766.html
http://secunia.com/advisories/60998
http://www-01.ibm.com/support/docview.wss?uid=swg21683486
http://lists.opensuse.org/opensuse-updates/2014-09/msg00046.html
http://secunia.com/advisories/59794
http://secunia.com/advisories/59831
http://www.debian.org/security/2014/dsa-2974
http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=88223c5245e9b470e1e6362bfd96829562ffe6ab
http://www.securityfocus.com/bid/68237
https://bugs.php.net/bug.php?id=67492