Rapid7 VulnDB

DSA-2974-1 php5 -- security update

Back to Search

DSA-2974-1 php5 -- security update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
07/06/2014
Created
07/25/2018
Added
07/09/2014
Modified
07/04/2017

Description

The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.

Solution(s)

  • debian-upgrade-php5

References

  • debian-upgrade-php5

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;