Описание
Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization.
A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.
Отчет
This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 5 and 6. This issue is not currently planned to be corrected in future updates in Red Hat Enterprise Linux 7 and Red Hat Software Collections.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | php | Not affected | ||
| Red Hat Enterprise Linux 5 | php53 | Not affected | ||
| Red Hat Enterprise Linux 6 | php | Not affected | ||
| Red Hat Enterprise Linux 7 | php | Will not fix | ||
| Red Hat Software Collections | php54-php | Will not fix | ||
| Red Hat Software Collections | php55-php | Will not fix | ||
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-php56-php | Fixed | RHSA-2016:0457 | 15.03.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS | rh-php56-php | Fixed | RHSA-2016:0457 | 15.03.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS | rh-php56-php | Fixed | RHSA-2016:0457 | 15.03.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-php56-php | Fixed | RHSA-2016:0457 | 15.03.2016 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.1 Medium
CVSS2
Связанные уязвимости
Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization.
Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization.
Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x be ...
Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization.
Уязвимости интерпретатора PHP, позволяющие нарушителю выполнить произвольный код
EPSS
5.1 Medium
CVSS2