CVE-2014-3480 — MEDIUM (6.5)

Q: How severe is CVE-2014-3480?

CVE-2014-3480 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-3480?

Check the references section above for vendor advisories and patch information. Affected products include: File Project File, Php Php, Debian Debian Linux, Opensuse Opensuse, Oracle Linux.

Vulnerability Description

The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
File Project	File	< 5.19
Php	Php	< 5.3.29
Debian	Debian Linux	7.0
Opensuse	Opensuse	11.4
Oracle	Linux	7

Related Weaknesses (CWE)

CWE-20

References

http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlBroken LinkMailing List
http://lists.opensuse.org/opensuse-updates/2014-09/msg00046.htmlMailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=141017844705317&w=2Issue TrackingThird Party Advisory
http://mx.gw.com/pipermail/file/2014/001553.htmlBroken Link
http://rhn.redhat.com/errata/RHSA-2014-1765.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1766.htmlThird Party Advisory
http://secunia.com/advisories/59794Not Applicable
http://secunia.com/advisories/59831Not Applicable
http://support.apple.com/kb/HT6443Third Party Advisory
http://www.debian.org/security/2014/dsa-2974Third Party Advisory
http://www.debian.org/security/2014/dsa-3021Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlThird Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.hThird Party Advisory
http://www.php.net/ChangeLog-5.phpRelease NotesVendor Advisory
http://www.securityfocus.com/bid/68238Third Party AdvisoryVDB Entry

FAQ

What is CVE-2014-3480?

CVE-2014-3480 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows re...

How severe is CVE-2014-3480?

CVE-2014-3480 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-3480?

Check the references section above for vendor advisories and patch information. Affected products include: File Project File, Php Php, Debian Debian Linux, Opensuse Opensuse, Oracle Linux.