PT-2014-1421 · Php+5 · Php+5

Stefan Esser

Published

2014-06-09

Updated

2022-11-09

CVE-2014-3515

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.4.30 PHP versions 5.5.x prior to 5.5.14

Description The issue arises from incorrect anticipation of data structure types after unserialization in the SPL component, leading to potential remote code execution through crafted strings that trigger the use of a Hashtable destructor. This is related to "type confusion" issues in ArrayObject and SPLObjectStorage.

Recommendations For PHP versions prior to 5.4.30, update to version 5.4.30 or later. For PHP versions 5.5.x prior to 5.5.14, update to version 5.5.14 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

BDU:2015-00376

CESA-2014_1012

CESA-2014_1013

CVE-2014-3515

DLA-0018-1

DSA-2974-1

HPSBUX03102

MGASA-2014-0283

MGASA-2014-0284

RHSA-2014:1012

RHSA-2014:1013

RHSA-2014:1765

RHSA-2014:1766

RHSA-2014_1012

RHSA-2014_1013

SUSE-SU-2016:1638-1

USN-2276-1

Affected Products

Centos

Hp-Ux

Php

Red Hat

Suse

Ubuntu

PT-2014-1421 · Php+5 · Php+5

CVE-2014-3515

Related Identifiers

Affected Products

References · 292