cve-2015-5723
Vulnerability from cvelistv5
Published
2016-06-07 14:00
Modified
2024-08-06 06:59
Severity ?
EPSS score ?
Summary
Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T06:59:04.234Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "DSA-3369", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2015/dsa-3369" }, { "name": "FEDORA-2016-8dc0af2c29", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://framework.zend.com/security/advisory/ZF2015-07" }, { "name": "FEDORA-2016-fa7e683c6e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2015-09-15T00:00:00", "descriptions": [ { "lang": "en", "value": "Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-25T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "DSA-3369", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2015/dsa-3369" }, { "name": "FEDORA-2016-8dc0af2c29", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://framework.zend.com/security/advisory/ZF2015-07" }, { "name": "FEDORA-2016-fa7e683c6e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-5723", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "DSA-3369", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3369" }, { "name": "FEDORA-2016-8dc0af2c29", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/" }, { "name": "http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html", "refsource": "CONFIRM", "url": "http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html" }, { "name": "http://framework.zend.com/security/advisory/ZF2015-07", "refsource": "CONFIRM", "url": "http://framework.zend.com/security/advisory/ZF2015-07" }, { "name": "FEDORA-2016-fa7e683c6e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-5723", "datePublished": "2016-06-07T14:00:00", "dateReserved": "2015-08-03T00:00:00", "dateUpdated": "2024-08-06T06:59:04.234Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2015-5723\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2016-06-07T14:06:08.697\",\"lastModified\":\"2024-11-21T02:33:42.940\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.\"},{\"lang\":\"es\",\"value\":\"Doctrine Annotations en versiones anteriores a 1.2.7, Cache en versiones anteriores a 1.3.2 y 1.4.x en versiones anteriores a 1.4.2, Common en versiones anteriores a 2.4.3 y 2.5.x en versiones anteriores a 2.5.1, ORM en versiones anteriores 2.4.8 o 2.5.x en versiones anteriores 2.5.1, MongoDB ODM en versiones anteriores a 1.0.2 y MongoDB ODM Bundle en versiones anteriores a 3.0.1 utilizan permisos de escritura universal para directorios de cach\u00e9, lo que permite a usuarios locales ejecutar c\u00f3digo PHP arbitrario con privilegios adicionales aprovechando una aplicaci\u00f3n con el umask establecido a 0 y que ejecuta entradas de cach\u00e9 como c\u00f3digo.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":7.2,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":3.9,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zend:zend-cache:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.4.7\",\"matchCriteriaId\":\"67A5BE81-0B49-43A9-B4D3-54FCE0D6AE28\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zend:zend-cache:2.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4E95FED4-A1B2-4851-AF95-0979121C0A69\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zend:zend-cache:2.5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DAC6C748-A52E-47A4-A615-70E59D1D30EC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zend:zend-cache:2.5.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ED45A472-B109-44FA-901B-164DF0F4DF40\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"16F59A04-14CF-49E2-9973-645477EA09DA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:doctrine-project:object_relational_mapper:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.4.7\",\"matchCriteriaId\":\"8904C198-BB8B-4E8C-80ED-CC4676065781\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5ED8B959-CE8F-49AA-B998-8598C8F0A6D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:alpha1:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2A8659A-7A7F-40B9-B60F-71FE4637B016\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:alpha2:*:*:*:*:*:*\",\"matchCriteriaId\":\"2C887BAC-8EEC-4F3D-B1D8-023B80A3D8B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"75BA49E2-ABC5-4A61-968B-1CAA2FF7A942\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F2D4F787-6BE1-4CC6-9A24-00EE601ACCEE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"E14E6992-D334-465E-ACE9-F0D0DA6FDC05\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:doctrine-project:doctrinemongodbbundle:3.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5E8FB62B-8DB3-46D9-9636-B877B10061C1\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.4.7\",\"matchCriteriaId\":\"1AB7019C-C868-4512-8855-F6ED2AC6A3A7\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:doctrine-project:common:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.4.2\",\"matchCriteriaId\":\"F004153E-7D36-4621-96DC-C47522EC1204\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:doctrine-project:common:2.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A88FB2A6-8AE3-46F4-91EB-BD7CAE22A83D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:doctrine-project:common:2.5.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"DF529016-31C4-4948-BA5C-3ED7C3DE062C\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:doctrine-project:annotations:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.2.6\",\"matchCriteriaId\":\"520EA826-22BD-496F-9DC9-267C76319B23\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:doctrine-project:mongodb-odm:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.0.1\",\"matchCriteriaId\":\"DF62C793-9B7F-4B67-A7AC-CD27F6670B2D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.12.15\",\"matchCriteriaId\":\"F2CA52AF-D551-4CE9-A4CD-F264F702634A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:doctrine-project:cache:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.3.1\",\"matchCriteriaId\":\"809D06DE-60BB-4697-94E7-CEE067FED890\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:doctrine-project:cache:1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0E592D06-5F25-4015-A780-595130F48055\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:doctrine-project:cache:1.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B0E6EA11-5D22-42C7-A085-28CCF728F4C5\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zend:zf-apigility-doctrine:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.0.2\",\"matchCriteriaId\":\"461C9713-8E45-4642-8D35-F9878F931080\"}]}]}],\"references\":[{\"url\":\"http://framework.zend.com/security/advisory/ZF2015-07\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.debian.org/security/2015/dsa-3369\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://framework.zend.com/security/advisory/ZF2015-07\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.debian.org/security/2015/dsa-3369\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.