Fluid Attacks Database

Description

A type confusion issue was found in the SPL ArrayObject and SPLObjectStorage classes' unserialize() method. A remote attacker able to submit specially crafted input to a PHP application, which would then unserialize this input using one of the aforementioned methods, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel6	php	<0:5.3.3-27.el6_5.1	0:5.3.3-27.el6_5.1
rpm rhel7	php	<0:5.4.16-23.el7_0	0:5.4.16-23.el7_0
rpm rhel5	php53	<0:5.3.3-23.el5_10	0:5.3.3-23.el5_10

Aliases

1. CVE-2014-35152. NVD-2014-35153. OSV-2014-3515