CVE-2014-5459 — LOW (3.6) — White Hats Nepal

Q: How severe is CVE-2014-5459?

CVE-2014-5459 has been rated LOW with a CVSS base score of 3.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-5459?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Oracle Solaris, Opensuse Evergreen, Opensuse Opensuse.

Vulnerability Description

The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to the retrieveCacheFirst and useLocalCache functions.

CVSS Score

3.6

LOW

AV:L/AC:L/Au:N/C:N/I:P/A:P

Confidentiality

NONE

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Php	Php	<= 5.6.0
Oracle	Solaris	11.2
Opensuse	Evergreen	11.4
Opensuse	Opensuse	12.3

Related Weaknesses (CWE)

CWE-59

References

http://lists.opensuse.org/opensuse-updates/2014-09/msg00024.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2014-09/msg00055.htmlMailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2014/08/27/3Mailing ListThird Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlThird Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759282ExploitIssue TrackingThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2014-09/msg00024.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2014-09/msg00055.htmlMailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2014/08/27/3Mailing ListThird Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlThird Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759282ExploitIssue TrackingThird Party Advisory

FAQ

What is CVE-2014-5459?

CVE-2014-5459 is a vulnerability with a CVSS score of 3.6 (LOW). The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, r...

How severe is CVE-2014-5459?

CVE-2014-5459 has been rated LOW with a CVSS base score of 3.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-5459?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Oracle Solaris, Opensuse Evergreen, Opensuse Opensuse.