cbcvebase.
CVE-2015-5723
published 2016-06-07

CVE-2015-5723: Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before…

PriorityP336high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EPSS
0.38%
30.0th percentile
Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.

Affected

38 ranges· showing 25
VendorProductVersion rangeFixed in
awsaws-sdk-php>= 3.0.0 < 3.2.13.2.1
debiandebian_linux
debiandebian_linux
debiandoctrine< doctrine 2.4.8-1 (bookworm)doctrine 2.4.8-1 (bookworm)
debianphp-doctrine-annotations< doctrine 2.4.8-1 (bookworm)doctrine 2.4.8-1 (bookworm)
debianphp-doctrine-bundle< doctrine 2.4.8-1 (bookworm)doctrine 2.4.8-1 (bookworm)
debianphp-doctrine-cache< doctrine 2.4.8-1 (bookworm)doctrine 2.4.8-1 (bookworm)
debianphp-doctrine-common< doctrine 2.4.8-1 (bookworm)doctrine 2.4.8-1 (bookworm)
doctrine-projectannotations<= 1.2.6
doctrine-projectcache<= 1.3.1
doctrine-projectcache
doctrine-projectcache
doctrine-projectcommon<= 2.4.2
doctrine-projectcommon
doctrine-projectdoctrinemongodbbundle
doctrine-projectmongodb-odm<= 1.0.1
doctrine-projectobject_relational_mapper<= 2.4.7
doctrine-projectobject_relational_mapper
doctrineannotations>= 0 < 1.2.71.2.7
doctrinecache>= 1.0.0 < 1.3.21.3.2
doctrinecache>= 1.4.0 < 1.4.21.4.2
doctrinecommon>= 0 < 2.4.32.4.3
doctrinecommon>= 2.5.0-stable < 2.5.12.5.1
doctrinemongodb-odm>= 0 < 1.0.21.0.2
doctrinemongodb-odm-bundle>= 0 < 3.0.13.0.1

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.