cbcvebase.
CVE-2014-8142
published 2014-12-20

CVE-2014-8142: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x…

PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
53.17%
98.8th percentile
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.

Affected

62 ranges· showing 25
VendorProductVersion rangeFixed in
phpphp<= 5.4.36
phpphp<= 5.4.35
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://git.php.net/?p=php-src.git;a=commitdiff;h=630f9c33c23639de85c3fd306b209b538b73b4c9
urlhttp://git.php.net/?p=php-src.git;a=commitdiff;h=53f129a44d3c4ec0fae57993b9ae2f6cb48973cc
pathext/standard/var_unserializer.re
hash0673ac259e90db8d75681af5f04a4c40
hash8b01972998d0525ec31dfff0ec64c74b
hashcb8c9c6c4af75c71b909db711bffcc79
hash61d968c7441c4fcfae02bc17bcc9ad42
hash465c5da6a16e7caf7e7110916624b6c5
hashf9dd149e395263d5592ff19d0c531ac1
hash4240057a3865c50af610f717c8c85d26
hashe4227104f2ff72514101bb62dfcfad3a
hashc9f4daf66868520004870392cf5c959d
pathlibraries/includes/copy.php
urlhttps://bugs.php.net/bug.php?id=68594
  • The vulnerability is triggered via a crafted unserialize() call exploiting improper handling of duplicate numerical keys within serialized object properties; monitor PHP applications accepting serialized user input via unserialize().
  • In eFront 3.6.15, the vulnerable injection point is the 'transfered' GET parameter passed to professor.php?ctg=copy, which is directly passed to unserialize() without sanitization.
  • The vulnerable code path is process_nested_data() in ext/standard/var_unserializer.re; PHP versions before 5.4.36, 5.5.20, and 5.6.4 are affected. PHP >= 5.3.9 and < 5.3.3 are also potentially affected.
  • Crash signature in GDB: SIGSEGV in zend_get_class_entry() called from object_common2() in var_unserializer.c, triggered by php_var_unserialize() / zif_unserialize(); useful for confirming exploitation attempts in crash dumps.
  • ·PHP versions shipped with Red Hat Enterprise Linux 5 and 6, and php53 on RHEL5, are NOT affected by CVE-2014-8142.
  • ·The process_nested_data() function is exposed in Tenable SecurityCenter only to authenticated users, reducing the remote attack surface in that product.
  • ·The eFront 3.6.15 exploitation requires authentication as a Professor role; unauthenticated exploitation is not demonstrated.
  • ·The upstream fix for CVE-2014-8142 was incomplete; CVE-2015-0231 was assigned to the incomplete fix, and both must be addressed together.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.