7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.88 High
EPSS
Percentile
98.4%
A one-byte file containing only the ‘#’ character, not followed by any
newline, causes php-cgi to do an out of bound read, potentially
disclosing sensitive information present in memory or even triggering
code execution if adjacent memory location contains valid PHP code.
A use-after-free vulnerability in unserialize() allows a remote attacker
to execute arbitrary code. This vulnerability results from an incomplete
fix for CVE-2014-8142.
An attempt to free an uninitialized pointer may result in arbitrary code
execution while parsing exif information from a carefully crafted file.