Vulnerability CVE-2015-5723


Published: 2016-06-07

Description:
Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.

CVSS2 => (AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.2/10
10/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
ZEND -> Zend-cache 
ZEND -> Zend framework 
ZEND -> Zf-apigility-doctrine 
Doctrine-project -> Annotations 
Doctrine-project -> Cache 
Doctrine-project -> Common 
Doctrine-project -> Doctrinemongodbbundle 
Doctrine-project -> Mongodb-odm 
Doctrine-project -> Object relational mapper 
Debian -> Debian linux 

 References:
http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html
http://www.debian.org/security/2015/dsa-3369
http://framework.zend.com/security/advisory/ZF2015-07

Copyright 2021, cxsecurity.com

 

Back to Top