CVE-2014-3981 — LOW (3.3) — White Hats Nepal

Q: What is CVE-2014-3981?

CVE-2014-3981 is a vulnerability with a CVSS score of 3.3 (LOW). acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file.

Q: How severe is CVE-2014-3981?

CVE-2014-3981 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-3981?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php.

Vulnerability Description

acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file.

CVSS Score

3.3

LOW

AV:L/AC:M/Au:N/C:N/I:P/A:P

Confidentiality

NONE

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Php	Php	< 5.3.29

Related Weaknesses (CWE)

CWE-59

References

http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=91bcadd85e20e50d3f8c2e972132768
http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlMailing List
http://marc.info/?l=bugtraq&m=141017844705317&w=2Mailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=141390017113542&w=2Mailing ListThird Party Advisory
http://openwall.com/lists/oss-security/2014/06/06/12Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2014/Jun/21Mailing ListThird Party Advisory
http://support.apple.com/kb/HT6443Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21683486Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlThird Party Advisory
https://bugs.php.net/bug.php?id=67390PatchVendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1104978Issue TrackingThird Party Advisory
https://support.apple.com/HT204659Third Party Advisory
http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=91bcadd85e20e50d3f8c2e972132768
http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlMailing List
http://marc.info/?l=bugtraq&m=141017844705317&w=2Mailing ListThird Party Advisory

FAQ

What is CVE-2014-3981?

CVE-2014-3981 is a vulnerability with a CVSS score of 3.3 (LOW). acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file.

How severe is CVE-2014-3981?

CVE-2014-3981 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-3981?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php.