CVE-2014-3670

2014-10-2910:55:00

CWE-119

[email protected]

web.nvd.nist.gov

104

cve-2014-3670

php

exif

vulnerability

denial of service

remote code execution

nvd

7.8 High

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.269 Low

EPSS

Percentile

96.7%

JSON

The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted JPEG image with TIFF thumbnail data that is improperly handled by the exif_thumbnail function.

CPENameOperatorVersion
php:phpphpeq5.6.1
php:phpphpeq5.5.0
php:phpphpeq5.4.32
php:phpphpeq5.4.12
php:phpphpeq5.4.15
php:phpphpeq5.5.16
php:phpphpeq5.4.19
php:phpphpeq5.6.0
php:phpphpeq5.5.1
php:phpphpeq5.5.5

CPE	Name	Operator	Version
php:php	php	eq	5.6.1
php:php	php	eq	5.5.0
php:php	php	eq	5.4.32
php:php	php	eq	5.4.12
php:php	php	eq	5.4.15
php:php	php	eq	5.5.16
php:php	php	eq	5.4.19
php:php	php	eq	5.6.0
php:php	php	eq	5.5.1
php:php	php	eq	5.5.5