CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
98.4%
The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly
anticipates that certain data structures will have the array data type
after unserialization, which allows remote attackers to execute arbitrary
code via a crafted string that triggers use of a Hashtable destructor,
related to “type confusion” issues in (1) ArrayObject and (2)
SPLObjectStorage.