Published: 20/12/2014 Updated: 07/11/2023

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP prior to 5.4.36, 5.5.x prior to 5.5.20, and 5.6.x prior to 5.6.4 allows remote malicious users to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.

Vulnerable Product	Search on Vulmon	Subscribe to Product
php php 5.6.1
php php 5.5.0
php php 5.6.0
php php 5.5.19
php php 5.5.16
php php 5.5.1
php php 5.5.5
php php 5.5.17
php php 5.5.14
php php 5.5.7
php php 5.6.2
php php 5.5.12
php php 5.5.6
php php 5.5.3
php php 5.5.8
php php 5.5.15
php php 5.5.11
php php 5.5.13
php php 5.5.4
php php 5.5.10
php php 5.6.3
php php
php php 5.5.18
php php 5.5.2
php php 5.5.9

Several security issues were fixed in PHP ...

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializerre in PHP before 5436, 55x before 5520, and 56x before 564 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a di ...

A flaws was discovered in the way PHP performed object unserialization Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code ...

PHP contains a use-after-free error in the process_nested_data() function in ext/standard/var_unserializerre With specially crafted input passed to the unserialize() method, a remote attacker can dereference already freed memory and potentially execute arbitrary code (CVE-2014-8142 / CVE-2015-0231) PHP contains a flaw in the exif_process_unicod ...

Kerio Control Unified Threat Management versions prior to 913 suffer from unsafe usage of the PHP unserialize function, code execution, memory corruption, cross site scripting, and various other vulnerabilities ...

eFront version 3615 suffers from a PHP object injection vulnerability ...

NVD-CWE-Other https://bugs.php.net/bug.php?id=68594 https://bugzilla.redhat.com/show_bug.cgi?id=1175718 http://php.net/ChangeLog-5.php http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00029.html http://lists.opensuse.org/opensuse-updates/2015-02/msg00079.html http://www.debian.org/security/2014/dsa-3117 http://rhn.redhat.com/errata/RHSA-2015-1135.html http://marc.info/?l=bugtraq&m=143403519711434&w=2 http://marc.info/?l=bugtraq&m=143748090628601&w=2 http://marc.info/?l=bugtraq&m=144050155601375&w=2 http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html http://www.securityfocus.com/bid/71791 https://security.gentoo.org/glsa/201503-03 http://rhn.redhat.com/errata/RHSA-2015-1066.html http://rhn.redhat.com/errata/RHSA-2015-1053.html http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=630f9c33c23639de85c3fd306b209b538b73b4c9 https://usn.ubuntu.com/2501-1/https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2014-8142

CVE-2014-8142

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

References

Vulmon Search

About

Products

Connect