Published: 09/07/2014 Updated: 07/11/2023

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

The SPL component in PHP prior to 5.4.30 and 5.5.x prior to 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote malicious users to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.

Vulnerable Product	Search on Vulmon	Subscribe to Product
php php
debian debian linux 8.0
debian debian linux 7.0

Several security issues were fixed in PHP ...

Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-0207 Francisco Alonso of the Red Hat Security Response Team reported an incorrect boundary check in the cdf_read_short_se ...

A type confusion issue was found in the SPL ArrayObject and SPLObjectStorage classes' unserialize() method A remote attacker able to submit specially crafted input to a PHP application, which would then unserialize this input using one of the aforementioned methods, could use this flaw to execute arbitrary code with the privileges of the user runn ...

acincludem4, as used in the configure script in PHP 5513 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file A denial of service flaw was found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files A remote attacker could use this ...

A denial of service flaw was found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file acincludem4, as used in the configure script in PHP 5513 and earlier, allows local users to ...

Tenable's SecurityCenter is affected by several vulnerabilities due to the use of third-party libraries, specifically Apache HTTP Server and PHP CVE-2014-3515 - PHP unserialize() Call SPL ArrayObject / SPLObjectStorage Type Confusion Remote Code Execution PHP contains an type confusion flaw that is triggered when performing an unserialize() call ...

Kerio Control Unified Threat Management versions prior to 913 suffer from unsafe usage of the PHP unserialize function, code execution, memory corruption, cross site scripting, and various other vulnerabilities ...

NVD-CWE-noinfo https://bugs.php.net/bug.php?id=67492 http://www.php.net/ChangeLog-5.php http://secunia.com/advisories/59794 http://secunia.com/advisories/59831 http://support.apple.com/kb/HT6443 http://rhn.redhat.com/errata/RHSA-2014-1766.html http://www.debian.org/security/2014/dsa-2974 http://rhn.redhat.com/errata/RHSA-2014-1765.html http://lists.opensuse.org/opensuse-updates/2014-09/msg00046.html http://marc.info/?l=bugtraq&m=141017844705317&w=2 http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html http://www.securityfocus.com/bid/68237 http://www-01.ibm.com/support/docview.wss?uid=swg21683486 http://secunia.com/advisories/60998 http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=88223c5245e9b470e1e6362bfd96829562ffe6ab https://usn.ubuntu.com/2276-1/https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2014-3515

CVE-2014-3515

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

References

Vulmon Search

About

Products

Connect