A type confusion issue was found in the SPL ArrayObject and SPLObjectStorage classes' unserialize() method. A remote attacker able to submit specially crafted input to a PHP application, which would then unserialize this input using one of the aforementioned methods, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | php | 2014-08-21 11:15 | ALAS-2014-393 |
Amazon Linux 1 | php54 | 2014-07-09 16:24 | ALAS-2014-367 |
Amazon Linux 1 | php55 | 2014-07-09 16:42 | ALAS-2014-372 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv2 | 5.1 | AV:N/AC:H/Au:N/C:P/I:P/A:P |
NVD | CVSSv2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |