CVSS: 7.5EPSS: 2%CPEs: 66EXPL: 0CVE-2015-6838 – php: NULL pointer dereference in XSLTProcessor class
https://notcve.org/view.php?id=CVE-2015-6838
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the principal argument loop, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837. La función xsl_function_php en ext/xsl/xsl/xsltprocessor.c en PHP en versiones anteriores a 5.4.45, 5.5.x en versiones anteriores a 5.5.29 y 5.6.x en versiones anteriores a 5.6.13, cuando se utiliza libxml2 en versiones anteriores a 2.9.2, no considera la posibilidad de un retorno NULL valuePop antes de proceder a una operación libre despues del bucle del argumento principal, lo que permite a atacantes remotos provocar una denegación de servicio (referencia a puntero NULL y caída de aplicación) a través de un documento XML manipulado, una vulnerabilidad diferente a CVE-2015-6838. A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets. • http://php.net/ChangeLog-5.php http://www.debian.org/security/2015/dsa-3358 http://www.securityfocus.com/bid/76733 http://www.securitytracker.com/id/1033548 https://bugs.php.net/bug.php?id=69782 https://security.gentoo.org/glsa/201606-10 https://access.redhat.com/security/cve/CVE-2015-6838 https://bugzilla.redhat.com/show_bug.cgi?id=1260711 • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 20%CPEs: 43EXPL: 2CVE-2015-6834 – PHP 5.4/5.5/5.6 - SplDoublyLinkedList 'Unserialize()' Use-After-Free
https://notcve.org/view.php?id=CVE-2015-6834
Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization. Múltiples vulnerabilidades de uso después de liberación de memoria en PHP en versiones anteriores a 5.4.45, 5.5.x en versiones anteriores a 5.5.29 y 5.6.x en versiones anteriores a 5.6.13 permite a atacantes remotos ejecutar código arbitrario a través de vectores relacionados con (1) la interfaz Serializable, (2) la clase SplObjectStorage y (3) la clase SplDoublyLinkedList, que no es correctamente manejado durante la deserialización. A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. • https://www.exploit-db.com/exploits/38120 https://www.exploit-db.com/exploits/38122 http://php.net/ChangeLog-5.php http://www.debian.org/security/2015/dsa-3358 http://www.securityfocus.com/bid/76649 http://www.securitytracker.com/id/1033548 https://bugs.php.net/bug.php?id=70172 https://bugs.php.net/bug.php?id=70365 https://bugs.php.net/bug.php?id=70366 https://security.gentoo.org/glsa/201606-10 https://access.redhat.com/security/cve/CVE-2015-6834 • CWE-416: Use After Free •
CVSS: 10.0EPSS: 2%CPEs: 59EXPL: 0CVE-2015-5589 – php: segmentation fault in Phar::convertToData on invalid file
https://notcve.org/view.php?id=CVE-2015-5589
The phar_convert_to_other function in ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 does not validate a file pointer before a close operation, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted TAR archive that is mishandled in a Phar::convertToData call. La función phar_convert_to_other en ext/phar_objetc.c en PHP en versiones anteriores a 5.4.43, 5.5.x en versiones anteriores a 5.5.27 y 5.6.x en versiones anteriores a 5.6.11 no valida un apuntador de archivo antes de una operación de cierre, lo que permite a atacantes remotos provocar una denegación de servicio (fallo de segmentación) o tener un posible impacto no especificado a través de un archivo TAR manipulado que no es correctamente manejado en una llamada Phar::convertToData. A flaw was found in the way the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. • http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=bf58162ddf970f63502837f366930e44d6a992cf http://openwall.com/lists/oss-security/2015/07/18/1 http://php.net/ChangeLog-5.php http://www.debian.org/security/2015/dsa-3344 http://www.securityfocus.com/bid/75974 https://bugs.php.net/bug.php?id=69958 https://access.redhat.com/security/cve/CVE-2015-5589 https://bugzilla.redhat.com/show_bug.cgi?id=1245236 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 1%CPEs: 56EXPL: 1CVE-2015-5590 – php: buffer overflow and stack smashing error in phar_fix_filepath
https://notcve.org/view.php?id=CVE-2015-5590
Stack-based buffer overflow in the phar_fix_filepath function in ext/phar/phar.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large length value, as demonstrated by mishandling of an e-mail attachment by the imap PHP extension. Desbordamiento de buffer basado en pila en la función phar_fix_filepath en ext/phar/phar.c en PHP en versiones anteriores a 5.4.43, 5.5.x en versiones anteriores a 5.5.27 y 5.6.x en versiones anteriores a 5.6.11 permite a atacantes remotos provocar una denegación de servicio o posiblemente tener otro impacto no especificado a través de un valor de gran longitud, según lo demostrado por el manejo incorrecto de un archivo adjunto de un e-mail en la extensión PHP imap. A flaw was found in the way the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. • http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=6dedeb40db13971af45276f80b5375030aa7e76f http://openwall.com/lists/oss-security/2015/07/18/1 http://www.debian.org/security/2015/dsa-3344 http://www.php.net/ChangeLog-5.php http://www.securityfocus.com/bid/75970 https://bugs.php.net/bug.php?id=69923 https://access.redhat.com/security/cve/CVE-2015-5590 https://bugzilla.redhat.com/show_bug.cgi?id=1245242 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.9EPSS: 0%CPEs: 27EXPL: 1CVE-2015-3152 – mysql: use of SSL/TLS can not be enforced in mysql client library (oCERT-2015-003, BACKRONYM)
https://notcve.org/view.php?id=CVE-2015-3152
Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack. Oracle MySQL en versiones anteriores a 5.7.3, Oracle MySQL Connector/C (también conocido como libmysqlclient) en versiones anteriores a 6.1.3 y MariaDB en versiones anteriores a 5.5.44 utiliza la opción --ssl significa que SSL es opcional, lo que permite a atacantes man-in-the-middle suplantar servidores a través de un ataque de degradación de texto plano, también conocida como un ataque "BACKRONYM". It was found that the MySQL client library permitted but did not require a client to use SSL/TLS when establishing a secure connection to a MySQL server using the "--ssl" option. A man-in-the-middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server. • http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161436.html http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161625.html http://mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option http://mysqlblog.fivefarmers.com/2015/04/29/ssltls-in-5-6-and-5-5-ocert-advisory http://packetstormsecurity.com/files/131688/MySQL-SSL-TLS-Downgrade.html http://rhn.redhat.com/errata/RHSA-2015-1646.html http://rhn.redhat.com/errata/RHSA-2015-1647.html http://rhn& • CWE-295: Improper Certificate Validation •