CVE-2014-8142

Advisory lineage Upstream: 0 Downstream: 9

Downstream

DSA-3117-1 MGASA-2014-0542 RHSA-2015:1053 RHSA-2015:1066 RHSA-2015:1135 SUSE-SU-2015:0365-1

Modified

Published: 20 Dec 2014, 11:00

Last modified:06 Aug 2024, 13:10

Vulnerability Summary

Overall Risk (default)

high

58/100

CVSS Score

7.5 HIGH

v2.0 (nvd)

EPSS Score

88.32% CRITICAL

88% probability +0.04%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

20 Dec 2014, 11:00

Published

Vulnerability first disclosed

06 Aug 2024, 13:10

Last Modified

Vulnerability information updated

Description

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.

CVSS Metrics

v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 88.32%• Percentile: 100%

Affected Systems

Unknown•PHP
≤ 5.4.35 | 5.5.0 | 5.5.0:alpha1 | 5.5.0:alpha2 | 5.5.0:alpha3 | 5.5.0:alpha4 | 5.5.0:alpha5 | 5.5.0:alpha6 | 5.5.0:beta1 | 5.5.0:beta2 | 5.5.0:beta3 | 5.5.0:beta4 | 5.5.0:rc1 | 5.5.0:rc2 | 5.5.1 | 5.5.2 | 5.5.3 | 5.5.4 | 5.5.5 | 5.5.6 | 5.5.7 | 5.5.8 | 5.5.9 | 5.5.10 | 5.5.11 | 5.5.12 | 5.5.13 | 5.5.14 | 5.5.15 | 5.5.16 | 5.5.17 | 5.5.18 | 5.5.19 | 5.6.0 | 5.6.0:alpha1 | 5.6.0:alpha2 | 5.6.0:alpha3 | 5.6.0:alpha4 | 5.6.0:alpha5 | 5.6.0:beta1 | 5.6.0:beta2 | 5.6.0:beta3 | 5.6.0:beta4 | 5.6.1 | 5.6.2 | 5.6.3