CVE-2014-3587

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571.

References

http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html

http://php.net/ChangeLog-5.php

http://rhn.redhat.com/errata/RHSA-2014-1326.html

http://rhn.redhat.com/errata/RHSA-2014-1327.html

http://rhn.redhat.com/errata/RHSA-2014-1765.html

http://rhn.redhat.com/errata/RHSA-2014-1766.html

http://rhn.redhat.com/errata/RHSA-2016-0760.html

http://secunia.com/advisories/60609

http://secunia.com/advisories/60696

http://www.debian.org/security/2014/dsa-3008

http://www.debian.org/security/2014/dsa-3021

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

http://www.securityfocus.com/bid/69325

http://www.ubuntu.com/usn/USN-2344-1

http://www.ubuntu.com/usn/USN-2369-1

https://bugs.php.net/bug.php?id=67716

https://github.com/file/file/commit/0641e56be1af003aa02c7c6b0184466540637233

https://github.com/php/php-src/commit/7ba1409a1aee5925180de546057ddd84ff267947

https://security-tracker.debian.org/tracker/CVE-2014-3587

https://support.apple.com/HT204659

Details

Source: MITRE

Published: 2014-08-23

Updated: 2018-01-05

Type: CWE-189

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:christos_zoulas:file:5.00:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.01:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.02:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.03:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.04:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.05:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.06:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.07:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.08:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.09:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.10:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.11:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.12:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.13:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.14:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.15:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.16:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.17:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:5.18:*:*:*:*:*:*:*

cpe:2.3:a:christos_zoulas:file:*:*:*:*:*:*:*:* versions up to 5.19 (inclusive)

cpe:2.3:a:php:php:5.4.0:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.0:beta2:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.0:beta2:32-bit:*:*:*:*:*

cpe:2.3:a:php:php:5.4.0:rc2:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.1:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.2:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.3:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.4:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.5:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.6:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.7:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.8:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.9:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.10:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.11:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.12:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.12:rc1:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.12:rc2:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.13:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.13:rc1:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.14:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.14:rc1:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.15:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.15:rc1:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.16:rc1:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.17:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.18:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.19:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.20:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.21:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.22:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.23:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.24:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.25:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.26:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.27:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.28:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.29:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.4.30:*:*:*:*:*:*:*

cpe:2.3:a:php:php:*:*:*:*:*:*:*:* versions up to 5.4.31 (inclusive)

cpe:2.3:a:php:php:5.5.0:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.0:alpha1:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.0:alpha2:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.0:alpha3:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.0:alpha4:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.0:alpha5:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.0:alpha6:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.0:beta1:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.0:beta2:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.0:beta3:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.0:beta4:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.0:rc1:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.0:rc2:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.1:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.2:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.3:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.4:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.5:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.6:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.7:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.8:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.9:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.10:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.11:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.12:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.13:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.14:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.5.15:*:*:*:*:*:*:*

Tenable Plugins

View all (43 total)

IDNameProductFamilySeverity
124927EulerOS Virtualization 3.0.1.0 : file (EulerOS-SA-2019-1424)NessusHuawei Local Security Checks
high
700510Mac OS X 10.10.x < 10.10.3 Multiple VulnerabilitiesNessus Network MonitorOperating System Detection
critical
119979SUSE SLES12 Security Update : php5 (SUSE-SU-2016:2408-1)NessusSuSE Local Security Checks
critical
93856openSUSE Security Update : php5 (openSUSE-2016-1156)NessusSuSE Local Security Checks
critical
93589SUSE SLES11 Security Update : php53 (SUSE-SU-2016:2328-1)NessusSuSE Local Security Checks
critical
93367SUSE SLES11 Security Update : php53 (SUSE-SU-2016:2210-1)NessusSuSE Local Security Checks
critical
91537Scientific Linux Security Update : file on SL6.x i386/x86_64 (20160510)NessusScientific Linux Local Security Checks
high
91167CentOS 6 : file (CESA-2016:0760)NessusCentOS Local Security Checks
high
91155OracleVM 3.3 / 3.4 : file (OVMSA-2016-0050)NessusOracleVM Local Security Checks
high
91149Oracle Linux 6 : file (ELSA-2016-0760)NessusOracle Linux Local Security Checks
high
91074RHEL 6 : file (RHSA-2016:0760)NessusRed Hat Local Security Checks
high
87555Scientific Linux Security Update : file on SL7.x x86_64 (20151119)NessusScientific Linux Local Security Checks
high
87137CentOS 7 : file (CESA-2015:2155)NessusCentOS Local Security Checks
high
87027Oracle Linux 7 : file (ELSA-2015-2155)NessusOracle Linux Local Security Checks
high
86973RHEL 7 : file (RHSA-2015:2155)NessusRed Hat Local Security Checks
high
82700Mac OS X Multiple Vulnerabilities (Security Update 2015-004) (FREAK)NessusMacOS X Local Security Checks
critical
82699Mac OS X 10.10.x < 10.10.3 Multiple Vulnerabilities (FREAK)NessusMacOS X Local Security Checks
critical
82333Mandriva Linux Security Advisory : php (MDVSA-2015:080)NessusMandriva Local Security Checks
high
82212Debian DLA-67-1 : php5 security updateNessusDebian Local Security Checks
medium
82197Debian DLA-50-1 : file security updateNessusDebian Local Security Checks
medium
78556PHP 5.6.0 Multiple VulnerabilitiesNessusCGI abuses
high
78419Scientific Linux Security Update : php53 and php on SL5.x, SL6.x i386/x86_64 (20140930)NessusScientific Linux Local Security Checks
medium
78358Amazon Linux AMI : php55 (ALAS-2014-415)NessusAmazon Linux Local Security Checks
medium
78341Amazon Linux AMI : file (ALAS-2014-398)NessusAmazon Linux Local Security Checks
medium
78042Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : file vulnerability (USN-2369-1)NessusUbuntu Local Security Checks
medium
78009RHEL 7 : php (RHSA-2014:1327)NessusRed Hat Local Security Checks
medium
78005Oracle Linux 7 : php (ELSA-2014-1327)NessusOracle Linux Local Security Checks
medium
78004Oracle Linux 5 / 6 : php / php53 (ELSA-2014-1326)NessusOracle Linux Local Security Checks
medium
77996CentOS 7 : php (CESA-2014:1327)NessusCentOS Local Security Checks
medium
77995CentOS 5 / 6 : php / php53 (CESA-2014:1326)NessusCentOS Local Security Checks
medium
77980RHEL 5 / 6 : php53 and php (RHSA-2014:1326)NessusRed Hat Local Security Checks
medium
77651Mandriva Linux Security Advisory : php (MDVSA-2014:172)NessusMandriva Local Security Checks
medium
77646Mandriva Linux Security Advisory : file (MDVSA-2014:167)NessusMandriva Local Security Checks
medium
77602Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : php5 vulnerabilities (USN-2344-1)NessusUbuntu Local Security Checks
medium
77585Debian DSA-3021-1 : file - security updateNessusDebian Local Security Checks
medium
77543Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : php (SSA:2014-247-01)NessusSlackware Local Security Checks
medium
77482Fedora 20 : php-5.5.16-1.fc20 (2014-9684)NessusFedora Local Security Checks
medium
77481Fedora 19 : php-5.5.16-1.fc19 (2014-9679)NessusFedora Local Security Checks
medium
8360PHP 5.4.x < 5.4.32 / 5.5.x < 5.5.16 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
high
77403PHP 5.5.x < 5.5.16 Multiple VulnerabilitiesNessusCGI abuses
medium
77402PHP 5.4.x < 5.4.32 Multiple VulnerabilitiesNessusCGI abuses
medium
77363Fedora 20 : file-5.19-4.fc20 (2014-9712)NessusFedora Local Security Checks
medium
77307Debian DSA-3008-1 : php5 - security updateNessusDebian Local Security Checks
medium