PT-2014-1420 · Php+2 · Php+2

Published

2014-08-23

Updated

2024-06-15

CVE-2014-5120

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:P

Name of the Vulnerable Software and Affected Versions PHP versions 5.4.x through 5.4.31 PHP versions 5.5.x through 5.5.15

Description The issue exists in the GD component of PHP due to the presence of %00 sequences in pathnames. This allows remote attackers to overwrite arbitrary files by providing crafted input to applications that call certain functions, including imagegd, imagegd2, imagegif, imagejpeg, imagepng, imagewbmp, or imagewebp.

Recommendations For PHP versions 5.4.x through 5.4.31, update to version 5.4.32 or later. For PHP versions 5.5.x through 5.5.15, update to version 5.5.16 or later.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

BDU:2015-00375

CESA-2014_1327

CVE-2014-5120

MGASA-2014-0367

OPENSUSE-SU-2024:10290-1

OPENSUSE-SU-2024:10344-1

RHSA-2014:1327

RHSA-2014:1765

RHSA-2014:1766

RHSA-2014_1327

Affected Products

Centos

Php

Red Hat

PT-2014-1420 · Php+2 · Php+2

CVE-2014-5120

Weakness Enumeration

Related Identifiers

Affected Products

References · 130