Use-after-free vulnerability in the process_nested_data function in
ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21,
and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code
via a crafted unserialize call that leverages improper handling of
duplicate numerical keys within the serialized properties of an object.
NOTE: this vulnerability exists because of an incomplete fix for
CVE-2014-8142.

Bugs

<https://bugs.php.net/bug.php?id=68710>

Notes

Author	Note
mdeslaur	incomplete fix of CVE-2014-8142

OSVersionArchitecturePackageVersionFilename
ubuntu12.04noarchphp5< 5.3.10-1ubuntu3.16UNKNOWN
ubuntu14.04noarchphp5< 5.5.9+dfsg-1ubuntu4.6UNKNOWN
ubuntu14.10noarchphp5< 5.5.12+dfsg-2ubuntu4.2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	12.04	noarch	php5	< 5.3.10-1ubuntu3.16	UNKNOWN
ubuntu	14.04	noarch	php5	< 5.5.9+dfsg-1ubuntu4.6	UNKNOWN
ubuntu	14.10	noarch	php5	< 5.5.12+dfsg-2ubuntu4.2	UNKNOWN

References

launchpad.net/bugs/cve/CVE-2015-0231

nvd.nist.gov/vuln/detail/CVE-2015-0231

security-tracker.debian.org/tracker/CVE-2015-0231

ubuntu.com/security/notices/USN-2501-1

www.cve.org/CVERecord?id=CVE-2015-0231

checkpoint_advisories 5

nvd 3

cve 3

prion 3

cvelist 3

nessus 55

ubuntucve 2

openvas 38

archlinux 2

fedora 5

amazon 7

securityvulns 9

mageia 2

exploitpack 2

debian 4

packetstorm 2

exploitdb 2

suse 2

f5 6

gentoo 2

slackware 2

veracode 27

ubuntu 1

kaspersky 1

freebsd 1

osv 2

redhat 3

oraclelinux 3

centos 1

rosalinux 1

checkpoint_advisories

PHP Core unserialize process nested data Use After Free - ver 2 (CVE-2014-8142; CVE-2015-0231)

2015-04-29 00:00:00

PHP Core unserialize process nested data Use After Free - Ver2 (CVE-2014-8142)

2015-05-18 00:00:00

PHP Core unserialize process nested data Use After Free (CVE-2014-8142)

2015-02-09 00:00:00

nvd

CVE-2015-0231

2015-01-27 20:03:41

CVE-2014-8142

2014-12-20 11:59:00

CVE-2015-2787

2015-03-30 10:59:15

cve

CVE-2015-0231

2015-01-27 20:03:41

CVE-2014-8142

2014-12-20 11:59:00

CVE-2015-2787

2015-03-30 10:59:15

prion

Design/Logic Flaw

2015-01-27 20:03:00

Design/Logic Flaw

2014-12-20 11:59:00

Design/Logic Flaw

2015-03-30 10:59:00

cvelist

CVE-2015-0231

2015-01-27 11:00:00

CVE-2014-8142

2014-12-20 11:00:00

CVE-2015-2787

2015-03-30 10:00:00

nessus

SuSE 11.3 Security Update : php53 (SAT Patch Number 10313)

2015-02-25 00:00:00

Fedora 20 : php-5.5.21-1.fc20 (2015-1101)

2015-02-06 00:00:00

Fedora 21 : php-5.6.5-1.fc21 (2015-1058)

2015-02-06 00:00:00

ubuntucve

CVE-2014-8142

2014-12-20 00:00:00

CVE-2015-2787

2015-03-30 00:00:00

openvas

SUSE: Security Advisory (SUSE-SU-2015:0370-1)

2021-06-09 00:00:00

Amazon Linux: Security Advisory (ALAS-2015-474)

2015-09-08 00:00:00

Amazon Linux: Security Advisory (ALAS-2015-475)

2015-09-08 00:00:00

archlinux

php: remote code execution

2015-01-23 00:00:00

php: use after free

2014-12-19 00:00:00

fedora

[SECURITY] Fedora 21 Update: php-5.6.5-1.fc21

2015-02-06 03:59:46

[SECURITY] Fedora 21 Update: php-5.6.4-2.fc21

2014-12-29 09:59:23

[SECURITY] Fedora 20 Update: php-5.5.21-1.fc20

2015-02-06 04:03:31

amazon

Medium: php55

2015-02-11 19:33:00

Medium: php54

2015-02-11 19:34:00

Medium: php55

2015-01-08 11:35:00

securityvulns

[ MDVSA-2015:032 ] php

2015-02-11 00:00:00

[USN-2501-1] PHP vulnerabilities

2015-02-22 00:00:00

PHP security vulnerabilities

2014-12-23 00:00:00

mageia

Updated php packages fix CVE-2014-8142

2014-12-21 23:47:32

Updated php packages fix security vulnerabilities

2015-01-28 00:08:29

exploitpack

eFront 3.6.15 - PHP Object Injection

2015-05-11 00:00:00

Kerio Control Unified Threat Management 9.1.0 build 10879.1.1 build 1324 - Multiple Vulnerabilities

2016-09-22 00:00:00

debian

[SECURITY] [DSA 3117-1] php5 security update

2014-12-31 14:47:01

[SECURITY] [DSA 3117-1] php5 security update

2014-12-31 14:47:01

[SECURITY] [DSA 3195-1] php5 security update

2015-03-18 11:56:46

packetstorm

eFront 3.6.15 PHP Object Injection

2015-05-09 00:00:00

Kerio Control Unified Threat Management Code Execution / XSS / Memory Corruption

2016-09-22 00:00:00

exploitdb

eFront 3.6.15 - PHP Object Injection

2015-05-11 00:00:00

Kerio Control Unified Threat Management 9.1.0 build 1087/9.1.1 build 1324 - Multiple Vulnerabilities

2016-09-22 00:00:00

suse

Security update for php5 (important)

2015-02-24 11:05:36

Security update for php53 (important)

2016-06-21 13:08:17

K16339 : Multiple PHP vulnerabilities CVE-2014-9425, CVE-2014-9426, CVE-2014-9427, CVE-2015-0231, and CVE-2015-0232

2015-04-01 00:00:00

SOL16339 - Multiple PHP vulnerabilities CVE-2014-9425, CVE-2014-9426, CVE-2014-9427, CVE-2015-0231, and CVE-2015-0232

2015-04-01 00:00:00

SOL16021 - PHP vulnerability CVE-2014-8142

2015-01-22 00:00:00

gentoo

PHP: Multiple vulnerabilities

2015-03-08 00:00:00

PHP: Multiple vulnerabilities

2016-06-19 00:00:00

slackware

[slackware-security] php

2014-12-23 05:38:55

[slackware-security] php

2015-04-22 01:22:40

veracode

Arbitrary Code Execution

2019-01-15 09:06:10

Denial Of Service (DoS)

2019-05-02 05:39:23

Arbitrary File Write

2019-05-02 05:39:23

ubuntu

PHP vulnerabilities

2015-02-17 00:00:00

kaspersky

KLA10515 Multiple vulnerabilities in PHP and extensions

2015-03-30 00:00:00

freebsd

Several vulnerabilities found in PHP

2015-03-19 00:00:00

osv

php5 - security update

2015-03-18 00:00:00

php5 - security update

2015-04-29 00:00:00

redhat

(RHSA-2015:1053) Moderate: php55 security and bug fix update

2015-06-04 00:00:00

(RHSA-2015:1066) Important: php54 security and bug fix update

2015-06-04 00:00:00

(RHSA-2015:1135) Important: php security and bug fix update

2015-06-23 00:00:00

oraclelinux

php55 security and bug fix update

2016-02-04 00:00:00

php54 security and bug fix update

2016-02-04 00:00:00

php security and bug fix update

2015-06-23 00:00:00

centos

php security update

2015-06-24 03:28:02

rosalinux

Advisory ROSA-SA-2021-1950

2021-07-02 17:57:45

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.861 High

EPSS

Percentile

98.6%

JSON

Related for UB:CVE-2015-0231