cbcvebase.
CVE-2014-3515
published 2014-07-09

CVE-2014-3515: The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after…

PriorityP265high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
30.13%
98.0th percentile
The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.

Affected

6 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
phpphp< 5.3.295.3.29
phpphp>= 5.4.0 < 5.4.305.4.30
phpphp>= 5.5.0 < 5.5.145.5.14
php5php5>= 0 < 5.5.9+dfsg-1ubuntu4.35.5.9+dfsg-1ubuntu4.3

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://git.php.net/?p=php-src.git;a=commit;h=a374dfab567ff7f0ab0dc150f14cc891b0340b47
  • Detect CVE-2014-3515 exploitation attempts by inspecting POST body for serialized SplObjectStorage payloads containing the 'C:16:"SplObjectStorage"' token combined with embedded object type confusion markers (e.g. double-precision float near zero, raw byte sequences).
  • Monitor POST requests to set.php and GET requests to contentLoader.php with arbitrary k_securityHash values (any non-empty string bypasses CSRF check), especially when the body contains serialized PHP data structures targeting SplObjectStorage or ArrayObject.
  • Alert on unserialize() calls in PHP applications receiving attacker-controlled input where the serialized string encodes SPLObjectStorage or ArrayObject class types, as these are the two affected classes for CVE-2014-3515.
  • Flag PHP versions below 5.4.30 or 5.5.x below 5.5.14 running internet-facing applications that call unserialize() on user-supplied data, as these are the vulnerable version ranges for CVE-2014-3515.
  • ·The exploit payload targeting Kerio Control uses hardcoded offsets specific to one binary build; it will not work against other versions or builds without modification.
  • ·CVE-2014-3515 did not affect PHP as shipped with Red Hat Enterprise Linux 5.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.