Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-8142

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2014-8142
Last Modified 17 Mar 2015 10:02:46
Published 20 Dec 2014 06:59:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2014-8142

Summary

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.

Vulnerable Systems

Application

  • Php 5.4.35

  • Php 5.5.0

  • Php 5.5.1

  • Php 5.5.10

  • Php 5.5.11

  • Php 5.5.12

  • Php 5.5.13

  • Php 5.5.14

  • Php 5.5.15

  • Php 5.5.16

  • Php 5.5.17

  • Php 5.5.18

  • Php 5.5.19

  • Php 5.5.2

  • Php 5.5.3

  • Php 5.5.4

  • Php 5.5.5

  • Php 5.5.6

  • Php 5.5.7

  • Php 5.5.8

  • Php 5.5.9

  • Php 5.6.0

  • Php 5.6.1

  • Php 5.6.2

  • Php 5.6.3


References

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1175718

CONFIRM - https://bugs.php.net/bug.php?id=68594

CONFIRM - http://php.net/ChangeLog-5.php

CONFIRM - http://git.php.net/?p=php-src.git;a=commit;h=630f9c33c23639de85c3fd306b209b538b73b4c9

SUSE - openSUSE-SU-2015:0325

SUSE - SUSE-SU-2015:0365

DEBIAN - DSA-3117


Last Updated: 27 May 2016 11:07:20