Vulnerability Details : CVE-2014-8626
Potential exploit
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding.
Vulnerability category: OverflowExecute codeDenial of service
Products affected by CVE-2014-8626
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.2:*:*:*:*:*:*:*
Threat overview for CVE-2014-8626
Top countries where our scanners detected CVE-2014-8626
Top open port discovered on systems with this issue
80
IPs affected by CVE-2014-8626 51,658
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2014-8626!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2014-8626
6.70%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 94 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-8626
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2014-8626
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-8626
-
https://bugs.php.net/bug.php?id=45226
PHP :: Bug #45226 :: xmlrpc_set_type() segfaults with valid ISO8601 date stringExploit
-
http://rhn.redhat.com/errata/RHSA-2014-1825.html
RHSA-2014:1825 - Security Advisory - Red Hat Customer Portal
-
http://git.php.net/?p=php-src.git;a=commit;h=c818d0d01341907fee82bdb81cab07b7d93bb9db
208.43.231.11 Git - php-src.git/commit
-
http://rhn.redhat.com/errata/RHSA-2014-1824.html
RHSA-2014:1824 - Security Advisory - Red Hat Customer Portal
-
http://openwall.com/lists/oss-security/2014/11/06/3
oss-security - Re: CVE request: PHP xmlrpc date_from_ISO8601() buffer overflow (in php < 5.2.7)
-
https://bugzilla.redhat.com/show_bug.cgi?id=1155607
1155607 – (CVE-2014-8626) CVE-2014-8626 php: xmlrpc ISO8601 date format parsing buffer overflow
-
http://www.securityfocus.com/bid/70928
PHP 'date_from_ISO8601()' Function Buffer Overflow Vulnerability
-
http://php.net/ChangeLog-5.php
PHP: PHP 5 ChangeLog
Jump to