CVE-2014-3487 — MEDIUM (4.3)

Q: How severe is CVE-2014-3487?

CVE-2014-3487 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-3487?

Check the references section above for vendor advisories and patch information. Affected products include: File Project File, Php Php, Debian Debian Linux, Opensuse Opensuse, Oracle Linux.

Vulnerability Description

The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.

CVSS Score

4.3

MEDIUM

AV:N/AC:M/Au:N/C:N/I:N/A:P

Confidentiality

NONE

Integrity

NONE

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
File Project	File	< 5.19
Php	Php	< 5.3.29
Debian	Debian Linux	7.0
Opensuse	Opensuse	11.4
Oracle	Linux	7

Related Weaknesses (CWE)

CWE-20

References

http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlBroken LinkMailing List
http://lists.opensuse.org/opensuse-updates/2014-09/msg00046.htmlMailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=141017844705317&w=2Issue TrackingThird Party Advisory
http://mx.gw.com/pipermail/file/2014/001553.htmlBroken Link
http://rhn.redhat.com/errata/RHSA-2014-1765.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1766.htmlThird Party Advisory
http://secunia.com/advisories/59794Not Applicable
http://secunia.com/advisories/59831Not Applicable
http://support.apple.com/kb/HT6443Third Party Advisory
http://www.debian.org/security/2014/dsa-2974Third Party Advisory
http://www.debian.org/security/2014/dsa-3021Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlThird Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.hThird Party Advisory
http://www.php.net/ChangeLog-5.phpRelease NotesVendor Advisory
http://www.securityfocus.com/bid/68120Third Party AdvisoryVDB Entry

FAQ

What is CVE-2014-3487?

CVE-2014-3487 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote...

How severe is CVE-2014-3487?

CVE-2014-3487 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-3487?

Check the references section above for vendor advisories and patch information. Affected products include: File Project File, Php Php, Debian Debian Linux, Opensuse Opensuse, Oracle Linux.