cbcvebase.
CVE-2015-0231
published 2015-01-27

CVE-2015-0231: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x…

PriorityP258high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
42.59%
98.5th percentile
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.

Affected

83 ranges· showing 25
VendorProductVersion rangeFixed in
applemac_os_x<= 10.6.8
applemac_os_x
applemac_os_x
applemac_os_x
applemac_os_x
applemac_os_x
applemac_os_x
appleos_x_el_capitan_v10.11
opensuseopensuse
opensuseopensuse
phpphp<= 5.4.36
phpphp<= 5.4.38
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered via a crafted unserialize() call exploiting duplicate numerical keys within serialized object properties, targeting the process_nested_data function in ext/standard/var_unserializer.re
  • The vulnerable code path was introduced in PHP >= 5.3.9; versions 5.3.3 and earlier are not affected. Monitor for exploitation attempts against PHP 5.3.9 through 5.4.36, 5.5.x before 5.5.21, and 5.6.x before 5.6.5
  • Crash/exploitation manifests as a SIGSEGV in zend_get_class_entry() called from object_common2() in var_unserializer.c when processing crafted unserialize input; look for PHP interpreter crashes or segfaults in application logs
  • Upstream fix commit for CVE-2015-0231 can be used to identify patched vs. unpatched binaries or diff-based detection
  • ·The process_nested_data() function in Tenable SecurityCenter is only exposed to authenticated users, reducing remote exploitation risk in that product
  • ·Red Hat Enterprise Linux 5 and 6 base php packages and php53 on RHEL5 are not affected because the original flaw (CVE-2014-8142) did not affect those versions

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.