CVE-2015-5723

high

Description

Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.

References

http://framework.zend.com/security/advisory/ZF2015-07

http://www.debian.org/security/2015/dsa-3369

http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/

https://lists.fedoraproject.org/archives/list/[email protected]/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/

Details

Source: MITRE

Published: 2016-06-07

Updated: 2016-11-28

Type: CWE-264

Risk Information

CVSS v2

Base Score: 7.2

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 3.9

Severity: HIGH

CVSS v3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 1.8

Severity: HIGH