CVE-2014-3515

2014-07-0900:00:00

ubuntu.com

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.814

Percentile

98.4%

JSON

The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly
anticipates that certain data structures will have the array data type
after unserialization, which allows remote attackers to execute arbitrary
code via a crafted string that triggers use of a Hashtable destructor,
related to “type confusion” issues in (1) ArrayObject and (2)
SPLObjectStorage.

Bugs

<https://bugs.php.net/bug.php?id=67492>

OSVersionArchitecturePackageVersionFilename
ubuntu10.04noarchphp5< 5.3.2-1ubuntu4.26UNKNOWN
ubuntu12.04noarchphp5< 5.3.10-1ubuntu3.13UNKNOWN
ubuntu13.10noarchphp5< 5.5.3+dfsg-1ubuntu2.6UNKNOWN
ubuntu14.04noarchphp5< 5.5.9+dfsg-1ubuntu4.3UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	10.04	noarch	php5	< 5.3.2-1ubuntu4.26	UNKNOWN
ubuntu	12.04	noarch	php5	< 5.3.10-1ubuntu3.13	UNKNOWN
ubuntu	13.10	noarch	php5	< 5.5.3+dfsg-1ubuntu2.6	UNKNOWN
ubuntu	14.04	noarch	php5	< 5.5.9+dfsg-1ubuntu4.3	UNKNOWN