Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
EUVDB-ID: #VU31834
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-9709
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5,. A remote attacker can perform a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.
MitigationUpdate the affected package php74 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications: 12-SP3 - 12-SP5
SUSE Linux Enterprise High Performance Computing: 12
SUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5
SUSE Linux Enterprise Module for Web Scripting: 12
SUSE Linux Enterprise Software Development Kit: 12-SP5
php74-zlib-debuginfo: before 7.4.33-1.50.2
php74-zlib: before 7.4.33-1.50.2
php74-zip-debuginfo: before 7.4.33-1.50.2
php74-zip: before 7.4.33-1.50.2
php74-xsl-debuginfo: before 7.4.33-1.50.2
php74-xsl: before 7.4.33-1.50.2
php74-xmlwriter-debuginfo: before 7.4.33-1.50.2
php74-xmlwriter: before 7.4.33-1.50.2
php74-xmlrpc-debuginfo: before 7.4.33-1.50.2
php74-xmlrpc: before 7.4.33-1.50.2
php74-xmlreader-debuginfo: before 7.4.33-1.50.2
php74-xmlreader: before 7.4.33-1.50.2
php74-tokenizer-debuginfo: before 7.4.33-1.50.2
php74-tokenizer: before 7.4.33-1.50.2
php74-tidy-debuginfo: before 7.4.33-1.50.2
php74-tidy: before 7.4.33-1.50.2
php74-sysvshm-debuginfo: before 7.4.33-1.50.2
php74-sysvshm: before 7.4.33-1.50.2
php74-sysvsem-debuginfo: before 7.4.33-1.50.2
php74-sysvsem: before 7.4.33-1.50.2
php74-sysvmsg-debuginfo: before 7.4.33-1.50.2
php74-sysvmsg: before 7.4.33-1.50.2
php74-sqlite-debuginfo: before 7.4.33-1.50.2
php74-sqlite: before 7.4.33-1.50.2
php74-sodium-debuginfo: before 7.4.33-1.50.2
php74-sodium: before 7.4.33-1.50.2
php74-sockets-debuginfo: before 7.4.33-1.50.2
php74-sockets: before 7.4.33-1.50.2
php74-soap-debuginfo: before 7.4.33-1.50.2
php74-soap: before 7.4.33-1.50.2
php74-snmp-debuginfo: before 7.4.33-1.50.2
php74-snmp: before 7.4.33-1.50.2
php74-shmop-debuginfo: before 7.4.33-1.50.2
php74-shmop: before 7.4.33-1.50.2
php74-readline-debuginfo: before 7.4.33-1.50.2
php74-readline: before 7.4.33-1.50.2
php74-posix-debuginfo: before 7.4.33-1.50.2
php74-posix: before 7.4.33-1.50.2
php74-phar-debuginfo: before 7.4.33-1.50.2
php74-phar: before 7.4.33-1.50.2
php74-pgsql-debuginfo: before 7.4.33-1.50.2
php74-pgsql: before 7.4.33-1.50.2
php74-pdo-debuginfo: before 7.4.33-1.50.2
php74-pdo: before 7.4.33-1.50.2
php74-pcntl-debuginfo: before 7.4.33-1.50.2
php74-pcntl: before 7.4.33-1.50.2
php74-openssl-debuginfo: before 7.4.33-1.50.2
php74-openssl: before 7.4.33-1.50.2
php74-opcache-debuginfo: before 7.4.33-1.50.2
php74-opcache: before 7.4.33-1.50.2
php74-odbc-debuginfo: before 7.4.33-1.50.2
php74-odbc: before 7.4.33-1.50.2
php74-mysql-debuginfo: before 7.4.33-1.50.2
php74-mysql: before 7.4.33-1.50.2
php74-mbstring-debuginfo: before 7.4.33-1.50.2
php74-mbstring: before 7.4.33-1.50.2
php74-ldap-debuginfo: before 7.4.33-1.50.2
php74-ldap: before 7.4.33-1.50.2
php74-json-debuginfo: before 7.4.33-1.50.2
php74-json: before 7.4.33-1.50.2
php74-intl-debuginfo: before 7.4.33-1.50.2
php74-intl: before 7.4.33-1.50.2
php74-iconv-debuginfo: before 7.4.33-1.50.2
php74-iconv: before 7.4.33-1.50.2
php74-gmp-debuginfo: before 7.4.33-1.50.2
php74-gmp: before 7.4.33-1.50.2
php74-gettext-debuginfo: before 7.4.33-1.50.2
php74-gettext: before 7.4.33-1.50.2
php74-gd-debuginfo: before 7.4.33-1.50.2
php74-gd: before 7.4.33-1.50.2
php74-ftp-debuginfo: before 7.4.33-1.50.2
php74-ftp: before 7.4.33-1.50.2
php74-fpm-debuginfo: before 7.4.33-1.50.2
php74-fpm: before 7.4.33-1.50.2
php74-fileinfo-debuginfo: before 7.4.33-1.50.2
php74-fileinfo: before 7.4.33-1.50.2
php74-fastcgi-debuginfo: before 7.4.33-1.50.2
php74-fastcgi: before 7.4.33-1.50.2
php74-exif-debuginfo: before 7.4.33-1.50.2
php74-exif: before 7.4.33-1.50.2
php74-enchant-debuginfo: before 7.4.33-1.50.2
php74-enchant: before 7.4.33-1.50.2
php74-dom-debuginfo: before 7.4.33-1.50.2
php74-dom: before 7.4.33-1.50.2
php74-dba-debuginfo: before 7.4.33-1.50.2
php74-dba: before 7.4.33-1.50.2
php74-curl-debuginfo: before 7.4.33-1.50.2
php74-curl: before 7.4.33-1.50.2
php74-ctype-debuginfo: before 7.4.33-1.50.2
php74-ctype: before 7.4.33-1.50.2
php74-calendar-debuginfo: before 7.4.33-1.50.2
php74-calendar: before 7.4.33-1.50.2
php74-bz2-debuginfo: before 7.4.33-1.50.2
php74-bz2: before 7.4.33-1.50.2
php74-bcmath-debuginfo: before 7.4.33-1.50.2
php74-bcmath: before 7.4.33-1.50.2
php74: before 7.4.33-1.50.2
apache2-mod_php74-debuginfo: before 7.4.33-1.50.2
apache2-mod_php74: before 7.4.33-1.50.2
php74-devel: before 7.4.33-1.50.2
php74-debugsource: before 7.4.33-1.50.2
php74-debuginfo: before 7.4.33-1.50.2
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20230072-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU16112
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-3411
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences. A remote attacker can read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename.xml attack that bypasses an intended configuration in which client users may read only .xml files.
Update the affected package php74 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications: 12-SP3 - 12-SP5
SUSE Linux Enterprise High Performance Computing: 12
SUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5
SUSE Linux Enterprise Module for Web Scripting: 12
SUSE Linux Enterprise Software Development Kit: 12-SP5
php74-zlib-debuginfo: before 7.4.33-1.50.2
php74-zlib: before 7.4.33-1.50.2
php74-zip-debuginfo: before 7.4.33-1.50.2
php74-zip: before 7.4.33-1.50.2
php74-xsl-debuginfo: before 7.4.33-1.50.2
php74-xsl: before 7.4.33-1.50.2
php74-xmlwriter-debuginfo: before 7.4.33-1.50.2
php74-xmlwriter: before 7.4.33-1.50.2
php74-xmlrpc-debuginfo: before 7.4.33-1.50.2
php74-xmlrpc: before 7.4.33-1.50.2
php74-xmlreader-debuginfo: before 7.4.33-1.50.2
php74-xmlreader: before 7.4.33-1.50.2
php74-tokenizer-debuginfo: before 7.4.33-1.50.2
php74-tokenizer: before 7.4.33-1.50.2
php74-tidy-debuginfo: before 7.4.33-1.50.2
php74-tidy: before 7.4.33-1.50.2
php74-sysvshm-debuginfo: before 7.4.33-1.50.2
php74-sysvshm: before 7.4.33-1.50.2
php74-sysvsem-debuginfo: before 7.4.33-1.50.2
php74-sysvsem: before 7.4.33-1.50.2
php74-sysvmsg-debuginfo: before 7.4.33-1.50.2
php74-sysvmsg: before 7.4.33-1.50.2
php74-sqlite-debuginfo: before 7.4.33-1.50.2
php74-sqlite: before 7.4.33-1.50.2
php74-sodium-debuginfo: before 7.4.33-1.50.2
php74-sodium: before 7.4.33-1.50.2
php74-sockets-debuginfo: before 7.4.33-1.50.2
php74-sockets: before 7.4.33-1.50.2
php74-soap-debuginfo: before 7.4.33-1.50.2
php74-soap: before 7.4.33-1.50.2
php74-snmp-debuginfo: before 7.4.33-1.50.2
php74-snmp: before 7.4.33-1.50.2
php74-shmop-debuginfo: before 7.4.33-1.50.2
php74-shmop: before 7.4.33-1.50.2
php74-readline-debuginfo: before 7.4.33-1.50.2
php74-readline: before 7.4.33-1.50.2
php74-posix-debuginfo: before 7.4.33-1.50.2
php74-posix: before 7.4.33-1.50.2
php74-phar-debuginfo: before 7.4.33-1.50.2
php74-phar: before 7.4.33-1.50.2
php74-pgsql-debuginfo: before 7.4.33-1.50.2
php74-pgsql: before 7.4.33-1.50.2
php74-pdo-debuginfo: before 7.4.33-1.50.2
php74-pdo: before 7.4.33-1.50.2
php74-pcntl-debuginfo: before 7.4.33-1.50.2
php74-pcntl: before 7.4.33-1.50.2
php74-openssl-debuginfo: before 7.4.33-1.50.2
php74-openssl: before 7.4.33-1.50.2
php74-opcache-debuginfo: before 7.4.33-1.50.2
php74-opcache: before 7.4.33-1.50.2
php74-odbc-debuginfo: before 7.4.33-1.50.2
php74-odbc: before 7.4.33-1.50.2
php74-mysql-debuginfo: before 7.4.33-1.50.2
php74-mysql: before 7.4.33-1.50.2
php74-mbstring-debuginfo: before 7.4.33-1.50.2
php74-mbstring: before 7.4.33-1.50.2
php74-ldap-debuginfo: before 7.4.33-1.50.2
php74-ldap: before 7.4.33-1.50.2
php74-json-debuginfo: before 7.4.33-1.50.2
php74-json: before 7.4.33-1.50.2
php74-intl-debuginfo: before 7.4.33-1.50.2
php74-intl: before 7.4.33-1.50.2
php74-iconv-debuginfo: before 7.4.33-1.50.2
php74-iconv: before 7.4.33-1.50.2
php74-gmp-debuginfo: before 7.4.33-1.50.2
php74-gmp: before 7.4.33-1.50.2
php74-gettext-debuginfo: before 7.4.33-1.50.2
php74-gettext: before 7.4.33-1.50.2
php74-gd-debuginfo: before 7.4.33-1.50.2
php74-gd: before 7.4.33-1.50.2
php74-ftp-debuginfo: before 7.4.33-1.50.2
php74-ftp: before 7.4.33-1.50.2
php74-fpm-debuginfo: before 7.4.33-1.50.2
php74-fpm: before 7.4.33-1.50.2
php74-fileinfo-debuginfo: before 7.4.33-1.50.2
php74-fileinfo: before 7.4.33-1.50.2
php74-fastcgi-debuginfo: before 7.4.33-1.50.2
php74-fastcgi: before 7.4.33-1.50.2
php74-exif-debuginfo: before 7.4.33-1.50.2
php74-exif: before 7.4.33-1.50.2
php74-enchant-debuginfo: before 7.4.33-1.50.2
php74-enchant: before 7.4.33-1.50.2
php74-dom-debuginfo: before 7.4.33-1.50.2
php74-dom: before 7.4.33-1.50.2
php74-dba-debuginfo: before 7.4.33-1.50.2
php74-dba: before 7.4.33-1.50.2
php74-curl-debuginfo: before 7.4.33-1.50.2
php74-curl: before 7.4.33-1.50.2
php74-ctype-debuginfo: before 7.4.33-1.50.2
php74-ctype: before 7.4.33-1.50.2
php74-calendar-debuginfo: before 7.4.33-1.50.2
php74-calendar: before 7.4.33-1.50.2
php74-bz2-debuginfo: before 7.4.33-1.50.2
php74-bz2: before 7.4.33-1.50.2
php74-bcmath-debuginfo: before 7.4.33-1.50.2
php74-bcmath: before 7.4.33-1.50.2
php74: before 7.4.33-1.50.2
apache2-mod_php74-debuginfo: before 7.4.33-1.50.2
apache2-mod_php74: before 7.4.33-1.50.2
php74-devel: before 7.4.33-1.50.2
php74-debugsource: before 7.4.33-1.50.2
php74-debuginfo: before 7.4.33-1.50.2
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20230072-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU70788
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-31631
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to integer overflow when processing untrusted input within the PDO::quote() in PDO_SQLite. A remote attacker can pass a specially crafted input to the application that after being processed by the affected PDO::quote() method will return a quoted string, which can result in a SQL injection. MitigationUpdate the affected package php74 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications: 12-SP3 - 12-SP5
SUSE Linux Enterprise High Performance Computing: 12
SUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5
SUSE Linux Enterprise Module for Web Scripting: 12
SUSE Linux Enterprise Software Development Kit: 12-SP5
php74-zlib-debuginfo: before 7.4.33-1.50.2
php74-zlib: before 7.4.33-1.50.2
php74-zip-debuginfo: before 7.4.33-1.50.2
php74-zip: before 7.4.33-1.50.2
php74-xsl-debuginfo: before 7.4.33-1.50.2
php74-xsl: before 7.4.33-1.50.2
php74-xmlwriter-debuginfo: before 7.4.33-1.50.2
php74-xmlwriter: before 7.4.33-1.50.2
php74-xmlrpc-debuginfo: before 7.4.33-1.50.2
php74-xmlrpc: before 7.4.33-1.50.2
php74-xmlreader-debuginfo: before 7.4.33-1.50.2
php74-xmlreader: before 7.4.33-1.50.2
php74-tokenizer-debuginfo: before 7.4.33-1.50.2
php74-tokenizer: before 7.4.33-1.50.2
php74-tidy-debuginfo: before 7.4.33-1.50.2
php74-tidy: before 7.4.33-1.50.2
php74-sysvshm-debuginfo: before 7.4.33-1.50.2
php74-sysvshm: before 7.4.33-1.50.2
php74-sysvsem-debuginfo: before 7.4.33-1.50.2
php74-sysvsem: before 7.4.33-1.50.2
php74-sysvmsg-debuginfo: before 7.4.33-1.50.2
php74-sysvmsg: before 7.4.33-1.50.2
php74-sqlite-debuginfo: before 7.4.33-1.50.2
php74-sqlite: before 7.4.33-1.50.2
php74-sodium-debuginfo: before 7.4.33-1.50.2
php74-sodium: before 7.4.33-1.50.2
php74-sockets-debuginfo: before 7.4.33-1.50.2
php74-sockets: before 7.4.33-1.50.2
php74-soap-debuginfo: before 7.4.33-1.50.2
php74-soap: before 7.4.33-1.50.2
php74-snmp-debuginfo: before 7.4.33-1.50.2
php74-snmp: before 7.4.33-1.50.2
php74-shmop-debuginfo: before 7.4.33-1.50.2
php74-shmop: before 7.4.33-1.50.2
php74-readline-debuginfo: before 7.4.33-1.50.2
php74-readline: before 7.4.33-1.50.2
php74-posix-debuginfo: before 7.4.33-1.50.2
php74-posix: before 7.4.33-1.50.2
php74-phar-debuginfo: before 7.4.33-1.50.2
php74-phar: before 7.4.33-1.50.2
php74-pgsql-debuginfo: before 7.4.33-1.50.2
php74-pgsql: before 7.4.33-1.50.2
php74-pdo-debuginfo: before 7.4.33-1.50.2
php74-pdo: before 7.4.33-1.50.2
php74-pcntl-debuginfo: before 7.4.33-1.50.2
php74-pcntl: before 7.4.33-1.50.2
php74-openssl-debuginfo: before 7.4.33-1.50.2
php74-openssl: before 7.4.33-1.50.2
php74-opcache-debuginfo: before 7.4.33-1.50.2
php74-opcache: before 7.4.33-1.50.2
php74-odbc-debuginfo: before 7.4.33-1.50.2
php74-odbc: before 7.4.33-1.50.2
php74-mysql-debuginfo: before 7.4.33-1.50.2
php74-mysql: before 7.4.33-1.50.2
php74-mbstring-debuginfo: before 7.4.33-1.50.2
php74-mbstring: before 7.4.33-1.50.2
php74-ldap-debuginfo: before 7.4.33-1.50.2
php74-ldap: before 7.4.33-1.50.2
php74-json-debuginfo: before 7.4.33-1.50.2
php74-json: before 7.4.33-1.50.2
php74-intl-debuginfo: before 7.4.33-1.50.2
php74-intl: before 7.4.33-1.50.2
php74-iconv-debuginfo: before 7.4.33-1.50.2
php74-iconv: before 7.4.33-1.50.2
php74-gmp-debuginfo: before 7.4.33-1.50.2
php74-gmp: before 7.4.33-1.50.2
php74-gettext-debuginfo: before 7.4.33-1.50.2
php74-gettext: before 7.4.33-1.50.2
php74-gd-debuginfo: before 7.4.33-1.50.2
php74-gd: before 7.4.33-1.50.2
php74-ftp-debuginfo: before 7.4.33-1.50.2
php74-ftp: before 7.4.33-1.50.2
php74-fpm-debuginfo: before 7.4.33-1.50.2
php74-fpm: before 7.4.33-1.50.2
php74-fileinfo-debuginfo: before 7.4.33-1.50.2
php74-fileinfo: before 7.4.33-1.50.2
php74-fastcgi-debuginfo: before 7.4.33-1.50.2
php74-fastcgi: before 7.4.33-1.50.2
php74-exif-debuginfo: before 7.4.33-1.50.2
php74-exif: before 7.4.33-1.50.2
php74-enchant-debuginfo: before 7.4.33-1.50.2
php74-enchant: before 7.4.33-1.50.2
php74-dom-debuginfo: before 7.4.33-1.50.2
php74-dom: before 7.4.33-1.50.2
php74-dba-debuginfo: before 7.4.33-1.50.2
php74-dba: before 7.4.33-1.50.2
php74-curl-debuginfo: before 7.4.33-1.50.2
php74-curl: before 7.4.33-1.50.2
php74-ctype-debuginfo: before 7.4.33-1.50.2
php74-ctype: before 7.4.33-1.50.2
php74-calendar-debuginfo: before 7.4.33-1.50.2
php74-calendar: before 7.4.33-1.50.2
php74-bz2-debuginfo: before 7.4.33-1.50.2
php74-bz2: before 7.4.33-1.50.2
php74-bcmath-debuginfo: before 7.4.33-1.50.2
php74-bcmath: before 7.4.33-1.50.2
php74: before 7.4.33-1.50.2
apache2-mod_php74-debuginfo: before 7.4.33-1.50.2
apache2-mod_php74: before 7.4.33-1.50.2
php74-devel: before 7.4.33-1.50.2
php74-debugsource: before 7.4.33-1.50.2
php74-debuginfo: before 7.4.33-1.50.2
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20230072-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.