CVE-2014-3515
Public on 2014-07-09
Modified on 2014-09-19
Description
A type confusion issue was found in the SPL ArrayObject and SPLObjectStorage classes' unserialize() method. A remote attacker able to submit specially crafted input to a PHP application, which would then unserialize this input using one of the aforementioned methods, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application.
Severity
Low
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | php | 2014-08-21 | ALAS-2014-393 | Fixed |
| Amazon Linux 1 | php54 | 2014-07-09 | ALAS-2014-367 | Fixed |
| Amazon Linux 1 | php55 | 2014-07-09 | ALAS-2014-372 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv2 | 5.1 | AV:N/AC:H/Au:N/C:P/I:P/A:P |
| NVD | CVSSv2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |