CVE-2015-4148: The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a…

medium5CVSS 3.1

AVNACLAuNCPINAN

EXPLOIT

The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a "type confusion" issue.

Affected

36 ranges· showing 25

Vendor	Product	Version range	Fixed in
apple	mac_os_x	<= 10.10.4	—
apple	os_x_yosemite_v10.10.5_and_security_update_2015-006	—	—
php	php	<= 5.4.38	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—
php	php	—	—

CVSS provenance

nvd5.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N

osv6.5MEDIUM