CVE-2015-0273
published 2015-03-30CVE-2015-0273: Multiple use-after-free vulnerabilities in ext/date/php_date.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allow remote attackers to…
PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
41.32%
98.5th percentile
Multiple use-after-free vulnerabilities in ext/date/php_date.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allow remote attackers to execute arbitrary code via crafted serialized input containing a (1) R or (2) r type specifier in (a) DateTimeZone data handled by the php_date_timezone_initialize_from_hash function or (b) DateTime data handled by the php_date_initialize_from_hash function.
Affected
33 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | os_x_el_capitan_10.11.1_security_update_2015-004_yosemite_and_security_update_20 | — | — |
| apple | os_x_el_capitan_v10.11 | — | — |
| apple | os_x_yosemite_v10.10.4_and_security_update_2015-005 | — | — |
| php | php | <= 5.4.37 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect crafted serialized PHP payloads containing 'R' or 'r' type specifiers targeting DateTimeZone or DateTime objects via unserialize() — these trigger the use-after-free in php_date_timezone_initialize_from_hash / php_date_initialize_from_hash ↗
- →Monitor PHP unserialize() calls processing DateTime, DateTimeZone, DateInterval, or DatePeriod objects with __wakeup() invocations — exploitation abuses the __wakeup() magic method path to achieve use-after-free for memory disclosure or RCE ↗
- →Flag PHP processes spawning interactive shells (e.g., sh) as a child process — the PoC demonstrates code execution via assert+system('sh') through the UAF ↗
- ·PHP 5.4 < 5.4.38, PHP 5.5 < 5.5.22, and PHP 5.6 < 5.6.6 are affected; Red Hat Enterprise Linux 5 base php packages are NOT affected as they did not include the vulnerable code ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2015-03-18·CVSS 5.0
CVE-2014-8117 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
Thomas Jarosch discovered that PHP incorrectly limited recursion in the
fileinfo extension. A remote attacker could possibly use this issue to
cause PHP to consume resources or crash, resulting in a denial of service.
(CVE-2014-8117)
S. Paraschoudis discovered that PHP incorrectly handled memory in the
enchant binding. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2014-9705)
Taoguang Chen discovered that PHP incorrectly handled unserializing
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-0273)
It was discovered that
Red Hat
php: use after free vulnerability in unserialize() with DateTimeZone
vendor_redhat·2015-02-19·CVSS 7.5
CVE-2015-0273 [HIGH] CWE-416 php: use after free vulnerability in unserialize() with DateTimeZone
php: use after free vulnerability in unserialize() with DateTimeZone
Multiple use-after-free vulnerabilities in ext/date/php_date.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allow remote attackers to execute arbitrary code via crafted serialized input containing a (1) R or (2) r type specifier in (a) DateTimeZone data handled by the php_date_timezone_initialize_from_hash function or (b) DateTime data handled by the php_date_initialize_from_hash function.
A use-after-free flaw was found in the unserialize() function of PHP's DateTimeZone implementation. A malicious script author could possibly use this flaw to disclose certain portions of server memory.
Statement: This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 5 as they did
Apple
CVE-2015-0273: OS X Yosemite v10.10.4 and Security Update 2015-005
vendor_apple·CVSS 7.5
CVE-2015-0273 [HIGH] CVE-2015-0273: OS X Yosemite v10.10.4 and Security Update 2015-005
Apple Security Update: About the security content of OS X Yosemite v10.10.4 and Security Update 2015-005
Product: OS X Yosemite v10.10.4 and Security Update 2015-005
CVE: CVE-2015-0273
Component: CVE-2015-0273
Apple
CVE-2015-0273: OS X El Capitan v10.11
vendor_apple·CVSS 7.5
CVE-2015-0273 [HIGH] CVE-2015-0273: OS X El Capitan v10.11
Apple Security Update: About the security content of OS X El Capitan v10.11
Product: OS X El Capitan v10.11
CVE: CVE-2015-0273
Component: CVE-2015-0273
Apple
CVE-2015-0273: OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
vendor_apple·CVSS 7.5
CVE-2015-0273 [HIGH] CVE-2015-0273: OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
Apple Security Update: About the security content of OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
Product: OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
CVE: CVE-2015-0273
Component: CVE-2015-0273
GHSA
GHSA-mj23-h3wj-525j: Multiple use-after-free vulnerabilities in ext/date/php_date
ghsa_unreviewed·2022-05-14
CVE-2015-0273 [HIGH] GHSA-mj23-h3wj-525j: Multiple use-after-free vulnerabilities in ext/date/php_date
Multiple use-after-free vulnerabilities in ext/date/php_date.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allow remote attackers to execute arbitrary code via crafted serialized input containing a (1) R or (2) r type specifier in (a) DateTimeZone data handled by the php_date_timezone_initialize_from_hash function or (b) DateTime data handled by the php_date_initialize_from_hash function.
OSV
php5 vulnerabilities
osv·2015-03-18·CVSS 5.0
CVE-2014-8117 [MEDIUM] php5 vulnerabilities
php5 vulnerabilities
Thomas Jarosch discovered that PHP incorrectly limited recursion in the
fileinfo extension. A remote attacker could possibly use this issue to
cause PHP to consume resources or crash, resulting in a denial of service.
(CVE-2014-8117)
S. Paraschoudis discovered that PHP incorrectly handled memory in the
enchant binding. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2014-9705)
Taoguang Chen discovered that PHP incorrectly handled unserializing
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-0273)
It was discovered that PHP incorrectly handled memory in the phar
extension. A re
OSV
CVE-2015-0273: Multiple use-after-free vulnerabilities in ext/date/php_date
osv·2015-02-23·CVSS 7.5
CVE-2015-0273 [HIGH] CVE-2015-0273: Multiple use-after-free vulnerabilities in ext/date/php_date
Multiple use-after-free vulnerabilities in ext/date/php_date.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allow remote attackers to execute arbitrary code via crafted serialized input containing a (1) R or (2) r type specifier in (a) DateTimeZone data handled by the php_date_timezone_initialize_from_hash function or (b) DateTime data handled by the php_date_initialize_from_hash function.
No detection rules found.
http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=71335e6ebabc1b12c057d8017fd811892ecdfd24http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.htmlhttp://lists.apple.com/archives/security-announce/2015/Oct/msg00005.htmlhttp://lists.apple.com/archives/security-announce/2015/Sep/msg00008.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00004.htmlhttp://marc.info/?l=bugtraq&m=143403519711434&w=2http://marc.info/?l=bugtraq&m=143748090628601&w=2http://marc.info/?l=bugtraq&m=144050155601375&w=2http://php.net/ChangeLog-5.phphttp://rhn.redhat.com/errata/RHSA-2015-1053.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1066.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1135.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1218.htmlhttp://support.apple.com/kb/HT204942http://www.debian.org/security/2015/dsa-3195http://www.mandriva.com/security/advisories?name=MDVSA-2015:079http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlhttp://www.securityfocus.com/bid/72701http://www.securitytracker.com/id/1031945http://www.ubuntu.com/usn/USN-2535-1https://bugs.php.net/bug.php?id=68942https://bugzilla.redhat.com/show_bug.cgi?id=1194730https://security.gentoo.org/glsa/201606-10https://support.apple.com/HT205267https://support.apple.com/HT205375http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=71335e6ebabc1b12c057d8017fd811892ecdfd24http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.htmlhttp://lists.apple.com/archives/security-announce/2015/Oct/msg00005.htmlhttp://lists.apple.com/archives/security-announce/2015/Sep/msg00008.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00004.htmlhttp://marc.info/?l=bugtraq&m=143403519711434&w=2http://marc.info/?l=bugtraq&m=143748090628601&w=2http://marc.info/?l=bugtraq&m=144050155601375&w=2http://php.net/ChangeLog-5.phphttp://rhn.redhat.com/errata/RHSA-2015-1053.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1066.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1135.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1218.htmlhttp://support.apple.com/kb/HT204942http://www.debian.org/security/2015/dsa-3195http://www.mandriva.com/security/advisories?name=MDVSA-2015:079http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlhttp://www.securityfocus.com/bid/72701http://www.securitytracker.com/id/1031945http://www.ubuntu.com/usn/USN-2535-1https://bugs.php.net/bug.php?id=68942https://bugzilla.redhat.com/show_bug.cgi?id=1194730https://security.gentoo.org/glsa/201606-10https://support.apple.com/HT205267https://support.apple.com/HT205375
2015-03-30
Published