CVE-2014-9653 — Improper Input Validation in Project File

CWE-20 — Improper Input Validation CWE-125 — Out-of-bounds Read10 documents8 sources

Severity

7.5HIGHNVD

EPSS

6.8%

top 8.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

File Project File PHP Debian Linux

Timeline

PublishedMar 30

Latest updateMay 14

Description

readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶Debianfile_project/file< 1:5.22+15-1+3

▶NVDfile_project/file5.21

▶NVDphp/php5.4.36+26

Also affects: Debian Linux 7.0

🔴Vulnerability Details

GHSA

GHSA-px78-rrg6-77hf: readelf↗2022-05-14

▶

OSV

file vulnerabilities↗2018-06-14

▶

CVEList

CVE-2014-9653: readelf↗2015-03-30

▶

OSV

CVE-2014-9653: readelf↗2015-03-30

▶

📋Vendor Advisories

Ubuntu

file vulnerabilities↗2018-06-14

▶

Red Hat

file: malformed elf file causes access to uninitialized memory↗2014-12-16

▶

Debian

CVE-2014-9653: file - readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5...↗2014

▶

💬Community

Bugzilla

CVE-2014-9653 file: malformed elf file causes access to uninitialized memory↗2015-02-06

▶

Bugzilla

CVE-2014-9653 file: malformed elf file causes access to uninitialized memory [fedora-all]↗2015-02-06

▶