gsd-2015-5723
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2015-5723",
"description": "Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.",
"id": "GSD-2015-5723",
"references": [
"https://www.debian.org/security/2015/dsa-3369",
"https://advisories.mageia.org/CVE-2015-5723.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2015-5723"
],
"details": "Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.",
"id": "GSD-2015-5723",
"modified": "2023-12-13T01:20:06.815000Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5723",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3369",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3369"
},
{
"name": "FEDORA-2016-8dc0af2c29",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/"
},
{
"name": "http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html",
"refsource": "CONFIRM",
"url": "http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html"
},
{
"name": "http://framework.zend.com/security/advisory/ZF2015-07",
"refsource": "CONFIRM",
"url": "http://framework.zend.com/security/advisory/ZF2015-07"
},
{
"name": "FEDORA-2016-fa7e683c6e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=3.0.0-stable,\u003c3.2.1",
"affected_versions": "All versions starting from 3.0.0 before 3.2.1",
"credit": "Ryan Lane (https://github.com/ryan-lane)",
"cvss_v2": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2016-11-28",
"description": "There\u0027s an improper default directory umask that can potentially allow unauthorized modifications of PHP code. ",
"fixed_versions": [
"3.2.1"
],
"identifier": "CVE-2015-5723",
"identifiers": [
"CVE-2015-5723"
],
"not_impacted": "All versions before 3.0.0-stable, all versions starting from 3.2.1",
"package_slug": "packagist/aws/aws-sdk-php",
"pubdate": "2016-06-07",
"solution": "Upgrade to version 3.2.1 or above.",
"title": "Security Misconfiguration Vulnerability",
"urls": [
"http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html",
"https://github.com/aws/aws-sdk-php/releases/tag/3.2.1"
],
"uuid": "38787c3a-112f-4a7f-815a-487778b32fdd"
},
{
"affected_range": "\u003c1.2.7",
"affected_versions": "All versions before 1.2.7",
"credit": "Ryan Lane for finding the vulnerability, Jonathan Eskew from the AWS team to pass this security vulnerability and Anthony Ferrara for helping and find solutions to the problem.",
"cvss_v2": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2016-11-28",
"description": "Doctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of ",
"fixed_versions": [
"1.2.7"
],
"identifier": "CVE-2015-5723",
"identifiers": [
"CVE-2015-5723"
],
"package_slug": "packagist/doctrine/annotations",
"pubdate": "2016-06-07",
"solution": "Update to fixed version, or don\u0027t run application with umask 0",
"title": "Security Misconfiguration Vulnerability",
"urls": [
"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-5723",
"http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html"
],
"uuid": "8526e33a-a37e-4950-8890-3cf9b052e958"
},
{
"affected_range": "\u003e=1.4.0,\u003c1.4.2||\u003c1.3.2",
"affected_versions": "All versions starting from 1.4.0 before 1.4.2, all versions before 1.3.2",
"credit": "Ryan Lane for finding the vulnerability, Jonathan Eskew from the AWS team to pass this security vulnerability and Anthony Ferrara for helping and find solutions to the problem.",
"cvss_v2": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2016-11-28",
"description": "Doctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of ",
"fixed_versions": [
"1.3.2",
"1.4.2"
],
"identifier": "CVE-2015-5723",
"identifiers": [
"CVE-2015-5723"
],
"package_slug": "packagist/doctrine/cache",
"pubdate": "2016-06-07",
"solution": "Update to fixed version, or don\u0027t run application with umask 0",
"title": "Security Misconfiguration Vulnerability",
"urls": [
"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-5723",
"http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html"
],
"uuid": "90fae343-bb19-4061-8fa1-d3423ad4b6a6"
},
{
"affected_range": "\u003e=2.5.0-stable,\u003c2.5.1||\u003c2.4.3",
"affected_versions": "All versions starting from 2.5.0 before 2.5.1, all versions before 2.4.3",
"credit": "Ryan Lane for finding the vulnerability, Jonathan Eskew from the AWS team to pass this security vulnerability and Anthony Ferrara for helping and find solutions to the problem.",
"cvss_v2": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2016-11-28",
"description": "Doctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of ",
"fixed_versions": [
"2.4.3",
"2.5.1"
],
"identifier": "CVE-2015-5723",
"identifiers": [
"CVE-2015-5723"
],
"package_slug": "packagist/doctrine/common",
"pubdate": "2016-06-07",
"solution": "Update to fixed version, or don\u0027t run application with umask 0",
"title": "Security Misconfiguration Vulnerability",
"urls": [
"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-5723",
"http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html"
],
"uuid": "b2b7d845-b4e8-4467-b686-c15ce686ff89"
},
{
"affected_range": "\u003c1.5.2",
"affected_versions": "All versions before 1.5.2",
"cvss_v2": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2016-11-28",
"description": "Doctrine Annotations allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.",
"fixed_versions": [
"1.5.2"
],
"identifier": "CVE-2015-5723",
"identifiers": [
"CVE-2015-5723"
],
"not_impacted": "All versions starting from 1.5.2",
"package_slug": "packagist/doctrine/doctrine-bundle",
"pubdate": "2016-06-07",
"solution": "Upgrade to version 1.5.2 or above.",
"title": "Security Misconfiguration",
"urls": [
"https://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html"
],
"uuid": "37e681d5-ed8e-4991-8b34-4f3785b2a979"
},
{
"affected_range": "\u003c3.0.1",
"affected_versions": "All versions before 3.0.1",
"credit": "Ryan Lane for finding the vulnerability, Jonathan Eskew from the AWS team to pass this security vulnerability and Anthony Ferrara for helping and find solutions to the problem.",
"cvss_v2": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2016-11-28",
"description": "Doctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of ",
"fixed_versions": [
"3.0.1"
],
"identifier": "CVE-2015-5723",
"identifiers": [
"CVE-2015-5723"
],
"package_slug": "packagist/doctrine/mongodb-odm-bundle",
"pubdate": "2016-06-07",
"solution": "Update to fixed version, or don\u0027t run application with umask 0",
"title": "Security Misconfiguration Vulnerability",
"urls": [
"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-5723",
"http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html"
],
"uuid": "fd9756dc-cc27-4d0f-bea7-be4b22d7b83c"
},
{
"affected_range": "\u003e=1.0.0,\u003c1.0.2",
"affected_versions": "All versions starting from 1.0.0 before 1.0.2",
"cvss_v2": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2016-11-28",
"description": "Doctrine Annotations allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.",
"fixed_versions": [
"1.0.2"
],
"identifier": "CVE-2015-5723",
"identifiers": [
"CVE-2015-5723"
],
"not_impacted": "All versions before 1.0.0, all versions starting from 1.0.2",
"package_slug": "packagist/doctrine/mongodb-odm",
"pubdate": "2016-06-07",
"solution": "Upgrade to version 1.0.2 or above.",
"title": "Security Misconfiguration Vulnerability in various Doctrine projects",
"urls": [
"https://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html"
],
"uuid": "6652e33b-ec20-4e27-83a9-7e2420bc2e82"
},
{
"affected_range": "\u003e=2.0.0,\u003c2.4.8||\u003e=2.5.0,\u003c2.5.1",
"affected_versions": "All versions starting from 2.0.0 before 2.4.8, all versions starting from 2.5.0 before 2.5.1",
"cvss_v2": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2016-11-28",
"description": "Doctrine Annotations allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.",
"fixed_versions": [
"2.4.8",
"2.5.1"
],
"identifier": "CVE-2015-5723",
"identifiers": [
"CVE-2015-5723"
],
"not_impacted": "All versions before 2.0.0, all versions starting from 2.4.8 before 2.5.0, all versions starting from 2.5.1",
"package_slug": "packagist/doctrine/orm",
"pubdate": "2016-06-07",
"solution": "Upgrade to versions 2.4.8, 2.5.1 or above.",
"title": "Security Misconfiguration Vulnerability in various Doctrine projects",
"urls": [
"https://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html"
],
"uuid": "e30c4782-e7c3-40e6-8b46-2b18cc55ab23"
},
{
"affected_range": "\u003c2.4.8||\u003e=2.5.0,\u003c2.5.3",
"affected_versions": "All versions before 2.4.8, all versions starting from 2.5.0 before 2.5.3",
"credit": "Marco Pivetta, Matthew Weier O\u0027Phinney",
"cvss_v2": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2016-11-28",
"description": "The permission masks is not properly set when creating a new directory or file. This can lead to local arbitrary code execution or privilege escalation. Such attacks typically require direct access to a user of the system to exploit, but are dangerous vectors when available. ",
"fixed_versions": [
"2.4.8",
"2.5.3"
],
"identifier": "CVE-2015-5723",
"identifiers": [
"CVE-2015-5723"
],
"not_impacted": "All versions starting from 2.4.8 before 2.5.0, all versions starting from 2.5.3",
"package_slug": "packagist/zendframework/zend-cache",
"pubdate": "2016-06-07",
"solution": "Upgrade to versions 2.4.8, 2.5.3 or above.",
"title": "Remote Code Execution due to incorrect permissions mask",
"urls": [
"http://framework.zend.com/security/advisory/ZF2015-07"
],
"uuid": "0fe5a92c-5500-49ba-9253-19e0c6f9c227"
},
{
"affected_range": "\u003c2.4.8",
"affected_versions": "All versions before 2.4.8",
"credit": "Marco Pivetta, Matthew Weier O\u0027Phinney",
"cvss_v2": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2016-11-28",
"description": "The permission masks is not properly set when creating a new directory or file. This can lead to local arbitrary code execution or privilege escalation. Such attacks typically require direct access to a user of the system to exploit, but are dangerous vectors when available. ",
"fixed_versions": [
"2.4.8"
],
"identifier": "CVE-2015-5723",
"identifiers": [
"CVE-2015-5723"
],
"not_impacted": "All versions starting from 2.4.8",
"package_slug": "packagist/zendframework/zendframework",
"pubdate": "2016-06-07",
"solution": "Upgrade to version 2.4.8 or above.",
"title": "Remote Code Execution due to incorrect permissions mask",
"urls": [
"http://framework.zend.com/security/advisory/ZF2015-07"
],
"uuid": "6b783f49-7f3b-44a0-9c0e-504ef80cd63e"
},
{
"affected_range": "\u003e=1.12.0,\u003c1.12.16",
"affected_versions": "All versions starting from 1.12.0 before 1.12.16",
"credit": "Marco Pivetta, Matthew Weier O\u0027Phinney",
"cvss_v2": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2016-11-28",
"description": "The permission masks is not properly set when creating a new directory or file. This can lead to local arbitrary code execution or privilege escalation. Such attacks typically require direct access to a user of the system to exploit, but are dangerous vectors when available. ",
"fixed_versions": [
"1.12.16"
],
"identifier": "CVE-2015-5723",
"identifiers": [
"CVE-2015-5723"
],
"not_impacted": "All versions before 1.12.0, all versions starting from 1.12.16",
"package_slug": "packagist/zendframework/zendframework1",
"pubdate": "2016-06-07",
"solution": "Upgrade to version 1.12.16 or above.",
"title": "Remote Code Execution due to incorrect permissions mask",
"urls": [
"http://framework.zend.com/security/advisory/ZF2015-07"
],
"uuid": "b8d5a9d9-d2e2-4c7f-9ba0-bd5a2a7e24f7"
},
{
"affected_range": "\u003c1.0.3",
"affected_versions": "All versions before 1.0.3",
"credit": "Marco Pivetta, Matthew Weier O\u0027Phinney",
"cvss_v2": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2016-11-28",
"description": "The permission masks is not properly set when creating a new directory or file. This can lead to local arbitrary code execution or privilege escalation. Such attacks typically require direct access to a user of the system to exploit, but are dangerous vectors when available. ",
"fixed_versions": [
"1.0.3"
],
"identifier": "CVE-2015-5723",
"identifiers": [
"CVE-2015-5723"
],
"not_impacted": "All versions starting from 1.0.3",
"package_slug": "packagist/zfcampus/zf-apigility-doctrine",
"pubdate": "2016-06-07",
"solution": "Upgrade to version 1.0.3 or above.",
"title": "Remote Code Execution due to incorrect permissions mask",
"urls": [
"http://framework.zend.com/security/advisory/ZF2015-07"
],
"uuid": "e50be02c-199f-4729-81d0-d7c404d30de5"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:zend:zend-cache:2.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zend:zend-cache:2.5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zend:zend-cache:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.4.7",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zend:zend-cache:2.5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:alpha2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:alpha1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:doctrine-project:object_relational_mapper:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.4.7",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:doctrine-project:doctrinemongodbbundle:3.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.4.7",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:doctrine-project:common:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.4.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:doctrine-project:common:2.5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:doctrine-project:common:2.5.0:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:doctrine-project:annotations:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.2.6",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:doctrine-project:mongodb-odm:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.0.1",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.12.15",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:doctrine-project:cache:1.4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:doctrine-project:cache:1.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:doctrine-project:cache:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.3.1",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:zend:zf-apigility-doctrine:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.0.2",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5723"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html"
},
{
"name": "http://framework.zend.com/security/advisory/ZF2015-07",
"refsource": "CONFIRM",
"tags": [],
"url": "http://framework.zend.com/security/advisory/ZF2015-07"
},
{
"name": "DSA-3369",
"refsource": "DEBIAN",
"tags": [],
"url": "http://www.debian.org/security/2015/dsa-3369"
},
{
"name": "FEDORA-2016-fa7e683c6e",
"refsource": "FEDORA",
"tags": [],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/"
},
{
"name": "FEDORA-2016-8dc0af2c29",
"refsource": "FEDORA",
"tags": [],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9
}
},
"lastModifiedDate": "2016-11-28T19:35Z",
"publishedDate": "2016-06-07T14:06Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.