CVE-2015-0231

Advisory lineage Upstream: 0 Downstream: 12
Modified
Published: 27 Jan 2015, 11:00
Last modified:06 Aug 2024, 04:03

Vulnerability Summary

Overall Risk (default)
high
57/100
CVSS Score
7.5 HIGH
v2.0 (nvd)
EPSS Score
87.33% CRITICAL
87% probability +0.05%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

27 Jan 2015, 11:00
Published
Vulnerability first disclosed
06 Aug 2024, 04:03
Last Modified
Vulnerability information updated

Description

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.

CVSS Metrics

  • v2.0HIGHScore: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 87.33% Percentile: 99%

Affected Systems

  • UnknownPHP

    ≤ 5.4.36 | 5.4.0 | 5.4.1 | 5.4.2 | 5.4.3 | 5.4.4 | 5.4.5 | 5.4.6 | 5.4.7 | 5.4.8 | 5.4.9 | 5.4.10 | 5.4.11 | 5.4.12 | 5.4.12:rc1 | 5.4.12:rc2 | 5.4.13 | 5.4.13:rc1 | 5.4.14 | 5.4.14:rc1 | 5.4.15:rc1 | 5.4.16:rc1 | 5.4.17 | 5.4.18 | 5.4.19 | 5.4.20 | 5.4.21 | 5.4.22 | 5.4.23 | 5.4.24 | 5.4.25 | 5.4.26 | 5.4.27 | 5.4.28 | 5.4.29 | 5.4.30 | 5.4.34 | 5.4.35 | 5.5.0 | 5.5.0:alpha1 | 5.5.0:alpha2 | 5.5.0:alpha3 | 5.5.0:alpha4 | 5.5.0:alpha5 | 5.5.0:alpha6 | 5.5.0:beta1 | 5.5.0:beta2 | 5.5.0:beta3 | 5.5.0:beta4 | 5.5.0:rc1 | 5.5.0:rc2 | 5.5.1 | 5.5.2 | 5.5.3 | 5.5.4 | 5.5.5 | 5.5.6 | 5.5.7 | 5.5.8 | 5.5.9 | 5.5.10 | 5.5.11 | 5.5.12 | 5.5.13 | 5.5.14 | 5.5.15 | 5.5.16 | 5.5.17 | 5.5.18 | 5.5.19 | 5.5.20 | 5.6.0:alpha1 | 5.6.0:alpha2 | 5.6.0:alpha3 | 5.6.0:alpha4 | 5.6.0:alpha5 | 5.6.0:beta1 | 5.6.0:beta2 | 5.6.0:beta3 | 5.6.0:beta4 | 5.6.1 | 5.6.2 | 5.6.3 | 5.6.4

References (23)