Use-after-free in PHP - CVE-2015-0231
Published: November 27, 2018 / Updated: June 17, 2021
Vulnerability identifier: #VU16101
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2015-0231
CWE-ID: CWE-416
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: PHP Group
Affected software:
PHP
PHP
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to гse-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5. A remote attacker can trigger memory corruption via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an objecе. Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
How to mitigate CVE-2015-0231
Install update from vendor's website.