CVE-2014-5459 — Link Following in PHP

CWE-59 — Link Following CWE-377 — Insecure Temporary File7 documents7 sources

Severity

3.6LOWNVD

EPSS

0.1%

top 77.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Opensuse Evergreen Opensuse +1 more

Timeline

PublishedSep 27

Latest updateMay 13

Description

The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to the retrieveCacheFirst and useLocalCache functions.

CVSS vector

AV:L/AC:L/C:N/I:P/A:PExploitability: 3.9 | Impact: 4.9

Affected Packages4 packages

▶NVDphp/php5.6.0

▶NVDoracle/solaris11.2

▶NVDopensuse/opensuse12.3, 13.1+1

▶NVDopensuse/evergreen11.4

🔴Vulnerability Details

GHSA

GHSA-w8vq-hjwg-7p95: The PEAR_REST class in REST↗2022-05-13

▶

OSV

CVE-2014-5459: The PEAR_REST class in REST↗2014-09-27

▶

CVEList

CVE-2014-5459: The PEAR_REST class in REST↗2014-09-27

▶

📋Vendor Advisories

Red Hat

php-pear: insecure temporary file use for cache data↗2014-08-25

▶

💬Community

HackerOne

PHP 5.4.45 is Outdated and Full of Preformance Interupting Arbitrary Code Execution Bugs↗2017-08-21

▶

Bugzilla

CVE-2014-5459 php-pear: insecure temporary file use for cache data↗2014-08-26

▶