Vulnerability DatabaseCVE-2014-3515
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2014-3515
Published:July 09, 2014
Updated:May 17, 2026
The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
Related Resources (17)
http://secunia.com/advisories/60998
http://www-01.ibm.com/support/docview.wss?uid=swg21683486
http://secunia.com/advisories/59794
http://www.securityfocus.com/bid/68237
http://www.debian.org/security/2014/dsa-2974
http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=88223c5245e9b470e1e6362bfd96829562ffe6ab
http://www.php.net/ChangeLog-5.php
http://marc.info/?l=bugtraq&m=141017844705317&w=2
https://bugs.php.net/bug.php?id=67492
http://secunia.com/advisories/59831
http://rhn.redhat.com/errata/RHSA-2014-1765.html
https://people.canonical.com/~ubuntu-security/cve/CVE-2014-3515
http://lists.opensuse.org/opensuse-updates/2014-09/msg00046.html
https://access.redhat.com/security/cve/CVE-2014-3515
http://rhn.redhat.com/errata/RHSA-2014-1766.html
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
http://support.apple.com/kb/HT6443
Do you need more information?
Contact Us
CVSS v3
Base Score:
7.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
CVSS v2
Base Score:
7.5
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
EPSS
Base Score:
48.66