Описание
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | released | 5.6.11+dfsg-1ubuntu3 |
| esm-infra-legacy/trusty | released | 5.5.9+dfsg-1ubuntu4.13 |
| precise | released | 5.3.10-1ubuntu3.20 |
| trusty | released | 5.5.9+dfsg-1ubuntu4.13 |
| trusty/esm | released | 5.5.9+dfsg-1ubuntu4.13 |
| upstream | released | 5.5.29,5.6.13 |
| vivid | released | 5.6.4+dfsg-4ubuntu6.3 |
Показывать по
EPSS
7.5 High
CVSS2
9.8 Critical
CVSS3
Связанные уязвимости
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, an ...
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.
Уязвимость интерпретатора PHP, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код
EPSS
7.5 High
CVSS2
9.8 Critical
CVSS3