Vulnerability Description
gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Php | Php | 5.4.0 |
Related Weaknesses (CWE)
References
- http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
- http://lists.opensuse.org/opensuse-updates/2014-09/msg00024.html
- http://php.net/ChangeLog-5.php
- http://rhn.redhat.com/errata/RHSA-2014-1327.html
- http://rhn.redhat.com/errata/RHSA-2014-1765.html
- http://rhn.redhat.com/errata/RHSA-2014-1766.html
- http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
- https://bugs.php.net/bug.php?id=67730Vendor Advisory
- https://support.apple.com/HT204659
- http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
- http://lists.opensuse.org/opensuse-updates/2014-09/msg00024.html
- http://php.net/ChangeLog-5.php
- http://rhn.redhat.com/errata/RHSA-2014-1327.html
- http://rhn.redhat.com/errata/RHSA-2014-1765.html
- http://rhn.redhat.com/errata/RHSA-2014-1766.html
FAQ
What is CVE-2014-5120?
CVE-2014-5120 is a vulnerability with a CVSS score of 6.4 (MEDIUM). gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via c...
How severe is CVE-2014-5120?
CVE-2014-5120 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-5120?
Check the references section above for vendor advisories and patch information. Affected products include: Php Php.