CVE-2014-3515
php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
El componente SPL en PHP anterior a 5.4.30 y 5.5.x anterior a 5.5.14 anticipa incorrectamente que ciertas estructuras de datos tendrán el tipo de datos array después de deserialización, lo que permite a atacantes remotos ejecutar código arbitrario a través de una cadena manipulada que provoca el uso de un destructor Hashtable, relacionado con problemas de 'confusión de tipos' en (1) ArrayObject y (2) SPLObjectStorage.
A type confusion issue was found in the SPL ArrayObject and SPLObjectStorage classes' unserialize() method. A remote attacker able to submit specially crafted input to a PHP application, which would then unserialize this input using one of the aforementioned methods, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application.
The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue related to the SPL ArrayObject and SPLObjectStorage Types. It was discovered that PHP is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query. A flaw was found in the way file parsed property information from Composite Document Files (CDF) files, where the mconvert() function did not correctly compute the truncated pascal string size. Multiple flaws were found in the way file parsed property information from Composite Document Files files, due to insufficient boundary checks on buffers. PHP contains a bundled copy of the file utility's libmagic library, so it was vulnerable to this issue. It has been updated to versions 5.5.14, which fix this issue and several other bugs. The phpinfo() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue that can cause it to leak arbitrary process memory. Additionally, php-apc has been rebuilt against the updated php packages and the php-timezonedb packages has been upgraded to the 2014.5 version.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-05-14 CVE Reserved
- 2014-07-09 CVE Published
- 2024-08-06 CVE Updated
- 2025-04-12 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CAPEC
References (17)
| URL | Tag | Source |
|---|---|---|
| http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=88223c5245e9b470e1e6362bfd96829562ffe6ab | X_refsource_confirm | |
| http://secunia.com/advisories/59794 | Third Party Advisory | |
| http://secunia.com/advisories/59831 | Third Party Advisory | |
| http://secunia.com/advisories/60998 | Third Party Advisory | |
| http://support.apple.com/kb/HT6443 | Third Party Advisory |
|
| http://www-01.ibm.com/support/docview.wss?uid=swg21683486 | Third Party Advisory | |
| http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html | Third Party Advisory |
|
| http://www.securityfocus.com/bid/68237 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugs.php.net/bug.php?id=67492 | 2023-11-07 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-updates/2014-09/msg00046.html | 2023-11-07 | |
| http://marc.info/?l=bugtraq&m=141017844705317&w=2 | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2014-1765.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2014-1766.html | 2023-11-07 | |
| http://www.debian.org/security/2014/dsa-2974 | 2023-11-07 | |
| http://www.php.net/ChangeLog-5.php | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2014-3515 | 2014-10-30 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1112154 | 2014-10-30 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Php Search vendor "Php" | Php Search vendor "Php" for product "Php" | < 5.3.29 Search vendor "Php" for product "Php" and version " < 5.3.29" | - |
Affected
| ||||||
| Php Search vendor "Php" | Php Search vendor "Php" for product "Php" | >= 5.4.0 < 5.4.30 Search vendor "Php" for product "Php" and version " >= 5.4.0 < 5.4.30" | - |
Affected
| ||||||
| Php Search vendor "Php" | Php Search vendor "Php" for product "Php" | >= 5.5.0 < 5.5.14 Search vendor "Php" for product "Php" and version " >= 5.5.0 < 5.5.14" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||