CVE-2014-3710 — Improper Input Validation in PHP

CWE-20 — Improper Input Validation CWE-125 — Out-of-bounds Read14 documents10 sources

Severity

5.0MEDIUMNVD

EPSS

7.4%

top 8.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

File Project File PHP Canonical Ubuntu Linux +1 more

Timeline

PublishedNov 5

Latest updateMay 14

Description

The donote function in readelf.c in file through 5.20, as used in the Fileinfo component in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶Debianfile_project/file< 1:5.20-2+3

▶Ubuntufile_project/file< 1:5.14-2ubuntu3.3

▶NVDphp/php5.4.0 — 5.4.35+2

Also affects: Debian Linux 7.0, 8.0, Ubuntu Linux 10.04, 12.04, 14.04, 14.10

Patches

Patch: bugs.php.net ↗Patch: github.com ↗Patch: bugs.php.net ↗

🔴Vulnerability Details

GHSA

GHSA-3rf4-9569-4jw7: The donote function in readelf↗2022-05-14

▶

OSV

file vulnerabilities↗2015-02-04

▶

OSV

CVE-2014-3710: The donote function in readelf↗2014-11-05

▶

CVEList

CVE-2014-3710: The donote function in readelf↗2014-11-05

▶

📋Vendor Advisories

Ubuntu

file vulnerabilities↗2015-02-04

▶

BSD

FreeBSD-SA-14:28.file: Multiple vulnerabilities in file(1) and libmagic(3)↗2014-12-10

▶

Ubuntu

php5 vulnerabilities↗2014-10-30

▶

Red Hat

file: out-of-bounds read in elf note headers↗2014-10-22

▶

Debian

CVE-2014-3710: file - The donote function in readelf.c in file through 5.20, as used in the Fileinfo c...↗2014

▶

💬Community

Bugzilla

CVE-2014-3710 file: out-of-bounds read in elf note headers [fedora-all]↗2014-10-22

▶

Bugzilla

CVE-2014-3710 php: file: out-of-bounds read in elf note headers [fedora-all]↗2014-10-22

▶

Bugzilla

CVE-2014-3710 file: out-of-bounds read in elf note headers↗2014-10-21

▶