CVE-2014-3669Integer Overflow or Wraparound in PHP

CWE-189CWE-190Integer Overflow or Wraparound9 documents8 sources
Severity
7.5HIGHNVD
OSV5.0
EPSS
65.2%
top 1.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Php5PHPApple OS X Yosemite V10.10.3 AND Security Update 2015-004
Timeline
PublishedOct 29
Latest updateMay 17

Description

Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

Ubuntuphp5/php5< 5.5.9+dfsg-1ubuntu4.5
NVDphp/php5.4.33+53

Patches

Patch: bugs.php.netPatch: bugs.php.net

🔴Vulnerability Details

3
GHSA
GHSA-h4mf-xgwj-q6f7: Integer overflow in the object_custom function in ext/standard/var_unserializer2022-05-17
OSV
php5 vulnerabilities2014-10-30
OSV
CVE-2014-3669: Integer overflow in the object_custom function in ext/standard/var_unserializer2014-10-29

📋Vendor Advisories

3
Ubuntu
php5 vulnerabilities2014-10-30
Red Hat
php: integer overflow in unserialize()2014-09-18
Apple
CVE-2014-3669: OS X Yosemite v10.10.3 and Security Update 2015-004

🕵️Threat Intelligence

1
Tenable
[R3] SecurityCenter 4.8.2 Fixes Third-party Library Vulnerability2014-11-05

💬Community

1
Bugzilla
CVE-2014-3669 php: integer overflow in unserialize()2014-10-20
CVE-2014-3669 — Integer Overflow or Wraparound in PHP | cvebase