Vulnerability Details : CVE-2014-3710
The donote function in readelf.c in file through 5.20, as used in the Fileinfo component in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2014-3710
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
Threat overview for CVE-2014-3710
Top countries where our scanners detected CVE-2014-3710
Top open port discovered on systems with this issue
80
IPs affected by CVE-2014-3710 298,251
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2014-3710!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2014-3710
6.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 94 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-3710
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2014-3710
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-3710
-
http://www.securityfocus.com/bid/70807
PHP 'donote()' Function Out-of-Bounds Read VulnerabilityThird Party Advisory;VDB Entry
-
http://linux.oracle.com/errata/ELSA-2014-1768.html
linux.oracle.com | ELSA-2014-1768Third Party Advisory
-
https://security.gentoo.org/glsa/201503-03
PHP: Multiple vulnerabilities (GLSA 201503-03) — Gentoo securityThird Party Advisory
-
http://linux.oracle.com/errata/ELSA-2014-1767.html
linux.oracle.com | ELSA-2014-1767Third Party Advisory
-
https://bugs.php.net/bug.php?id=68283
PHP :: Sec Bug #68283 :: fileinfo: out-of-bounds read in elf note headersPatch;Vendor Advisory
-
http://lists.opensuse.org/opensuse-updates/2014-11/msg00113.html
openSUSE-SU-2014:1516-1: moderate: Security update for fileMailing List;Third Party Advisory
-
http://www.debian.org/security/2014/dsa-3072
Debian -- Security Information -- DSA-3072-1 fileThird Party Advisory
-
https://www.freebsd.org/security/advisories/FreeBSD-SA-14:28.file.asc
Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2014-1766.html
RHSA-2014:1766 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
Oracle Linux Bulletin - October 2015Third Party Advisory
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
Oracle Linux Bulletin - April 2016Third Party Advisory
-
http://www.ubuntu.com/usn/USN-2391-1
USN-2391-1: php5 vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1155071
1155071 – (CVE-2014-3710) CVE-2014-3710 file: out-of-bounds read in elf note headersIssue Tracking;Third Party Advisory
-
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
Oracle Bulletin Board Update - January 2015Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-0760.html
RHSA-2016:0760 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0
Fix note bounds reading, Francisco Alonso / Red Hat · file/file@39c7ac1 · GitHubPatch;Third Party Advisory
-
http://www.ubuntu.com/usn/USN-2494-1
USN-2494-1: file vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2014-1765.html
RHSA-2014:1765 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html
Oracle Solaris Third Party Bulletin - July 2015Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2014-1767.html
RHSA-2014:1767 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://security.gentoo.org/glsa/201701-42
file: Multiple vulnerabilities (GLSA 201701-42) — Gentoo securityThird Party Advisory
-
https://support.apple.com/HT204659
About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004 - Apple SupportThird Party Advisory
-
http://www.securitytracker.com/id/1031344
FreeBSD file(1) and libmagic(3) File Processing Flaws Let Remote Users Deny Service - SecurityTrackerThird Party Advisory;VDB Entry
-
http://rhn.redhat.com/errata/RHSA-2014-1768.html
RHSA-2014:1768 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://git.php.net/?p=php-src.git;a=commit;h=1803228597e82218a8c105e67975bc50e6f5bf0d
208.43.231.11 Git - php-src.git/commitPatch;Vendor Advisory
-
http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
Apple - Lists.apple.comMailing List;Third Party Advisory
Jump to