Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2015-4148

Опубликовано: 03 мар. 2015
Источник: redhat
CVSS2: 4.3
EPSS Средний

Описание

The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a "type confusion" issue.

A flaws was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5phpWill not fix
Red Hat Enterprise Linux 5php53Will not fix
Red Hat Software Collectionsphp54-phpAffected
Red Hat Software Collectionsphp55-phpAffected
Red Hat Software Collectionsrh-php56-phpNot affected
Red Hat Enterprise Linux 6phpFixedRHSA-2015:121809.07.2015
Red Hat Enterprise Linux 7phpFixedRHSA-2015:113523.06.2015
Red Hat Software Collections for Red Hat Enterprise Linux 6php55FixedRHSA-2015:105304.06.2015
Red Hat Software Collections for Red Hat Enterprise Linux 6php55-phpFixedRHSA-2015:105304.06.2015
Red Hat Software Collections for Red Hat Enterprise Linux 6php54FixedRHSA-2015:106604.06.2015

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-843
https://bugzilla.redhat.com/show_bug.cgi?id=1226916php: SoapClient's do_soap_call() type confusion after unserialize()

EPSS

Процентиль: 95%
0.19265
Средний

4.3 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2015-4148

ubuntu
около 10 лет назад

The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a "type confusion" issue.

nvd логотип

CVE-2015-4148

nvd
около 10 лет назад

The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a "type confusion" issue.

debian логотип

CVE-2015-4148

debian
около 10 лет назад

The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5 ...

github логотип

GHSA-88qx-xxqp-phh3

github
около 3 лет назад

The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a "type confusion" issue.

fstec логотип

BDU:2022-02527

CVSS3: 4
fstec
около 10 лет назад

Уязвимость функции do_soap_call (ext/soap/soap.c) интерпретатора языка программирования PHP, позволяющая нарушителю получить доступ к защищаемой информации

EPSS

Процентиль: 95%
0.19265
Средний

4.3 Medium

CVSS2