Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2014-3587

Published: 23/08/2014 Updated: 05/01/2018
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Subscribe to File

Vulnerability Summary

Integer overflow in the cdf_read_property_info function in cdf.c in file up to and including 5.19, as used in the Fileinfo component in PHP prior to 5.4.32 and 5.5.x prior to 5.5.16, allows remote malicious users to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571.

Vulnerable Product Search on Vulmon Subscribe to Product

christos zoulas file 5.02

christos zoulas file 5.03

christos zoulas file 5.10

christos zoulas file 5.11

christos zoulas file 5.18

christos zoulas file

php php 5.4.0

php php 5.4.12

php php 5.4.15

php php 5.4.16

php php 5.4.23

php php 5.4.24

php php 5.4.30

php php

php php 5.5.9

php php 5.5.8

php php 5.5.14

php php 5.5.13

php php 5.5.0

christos zoulas file 5.00

christos zoulas file 5.01

christos zoulas file 5.08

christos zoulas file 5.09

christos zoulas file 5.16

christos zoulas file 5.17

php php 5.4.10

php php 5.4.11

php php 5.4.14

php php 5.4.20

php php 5.4.21

php php 5.4.22

php php 5.4.29

php php 5.4.3

php php 5.4.8

php php 5.4.9

php php 5.5.3

php php 5.5.2

php php 5.5.15

christos zoulas file 5.06

christos zoulas file 5.07

christos zoulas file 5.14

christos zoulas file 5.15

php php 5.4.1

php php 5.4.13

php php 5.4.19

php php 5.4.2

php php 5.4.27

php php 5.4.28

php php 5.4.6

php php 5.4.7

php php 5.5.5

php php 5.5.4

php php 5.5.10

php php 5.5.1

christos zoulas file 5.04

christos zoulas file 5.05

christos zoulas file 5.12

christos zoulas file 5.13

php php 5.4.17

php php 5.4.18

php php 5.4.25

php php 5.4.26

php php 5.4.4

php php 5.4.5

php php 5.5.7

php php 5.5.6

php php 5.5.12

php php 5.5.11

Vendor Advisories

Red Hat: Moderate: file security and bug fix update
Synopsis Moderate: file security and bug fix update Type/Severity Security Advisory: Moderate Topic Updated file packages that fix multiple security issues and several bugsare now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having Moderate securityimpact Commo ...
Ubuntu Security Notice: file vulnerability
file could be made to crash or run programs as your login if it opened a specially crafted file ...
Ubuntu Security Notice: php5 vulnerabilities
php5 could be made to crash or run programs if it received specially crafted network traffic ...
Debian Security Advisories: DSA-3021-1 file -- security update
Multiple security issues have been found in file, a tool to determine a file type These vulnerabilities allow remote attackers to cause a denial of service, via resource consumption or application crash For the stable distribution (wheezy), these problems have been fixed in version 511-2+deb7u4 For the testing distribution (jessie), these probl ...
Debian Security Advisories: DSA-3008-1 php5 -- security update
Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-3538 It was discovered that the original fix for CVE-2013-7345 did not sufficiently address the problem A remote attacke ...
Amazon Linux AMI: ALAS-2014-415
A denial of service flaw was found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file gd_ctxc in the GD component in PHP 54x before 5432 and 55x before 5516 does not ensu ...
Amazon Linux AMI: ALAS-2014-398
Integer overflow in the cdf_read_property_info function in cdfc in file through 519, as used in the Fileinfo component in PHP before 5432 and 55x before 5516, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571 ...
Red Hat: CVE-2014-3587
It was found that the fix for CVE-2012-1571 was incomplete; the File Information (fileinfo) extension did not correctly parse certain Composite Document Format (CDF) files A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file ...

Github Repositories

https://github.com/psecio/versionscan

A PHP version scanner for reporting possible vulnerabilities

versionscan Versionscan is a tool for evaluating your currently installed PHP version and checking it against known CVEs and the versions they were fixed in to report back potential issues PLEASE NOTE: Work is still in progress to adapt the tool to linux distributions that backport security fixes As of right now, this only reports back for the straight up version reported

References

CWE-189http://www.debian.org/security/2014/dsa-3008https://bugs.php.net/bug.php?id=67716https://security-tracker.debian.org/tracker/CVE-2014-3587https://github.com/file/file/commit/0641e56be1af003aa02c7c6b0184466540637233http://php.net/ChangeLog-5.phphttps://github.com/php/php-src/commit/7ba1409a1aee5925180de546057ddd84ff267947http://www.ubuntu.com/usn/USN-2369-1http://www.ubuntu.com/usn/USN-2344-1http://rhn.redhat.com/errata/RHSA-2014-1327.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1326.htmlhttp://www.debian.org/security/2014/dsa-3021http://rhn.redhat.com/errata/RHSA-2014-1766.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1765.htmlhttp://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlhttps://support.apple.com/HT204659http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlhttp://www.securityfocus.com/bid/69325http://secunia.com/advisories/60696http://secunia.com/advisories/60609http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0760.htmlhttps://access.redhat.com/errata/RHSA-2015:2155https://nvd.nist.govhttps://usn.ubuntu.com/2369-1/https://access.redhat.com/security/cve/cve-2014-3587
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injectionfirmwareCVE-2006-4304CVE-2024-32878CVE-2024-31502XSSCVE-2024-3059CVE-2024-33692CVE-2024-3400
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook