1. Home
  2. CVE Database
  3. CVE-2015-4147
HIGH · 7.5

CVE-2015-4147

The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that __default_headers is an array, which allows remote attackers to ...

Vulnerability Description

The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that __default_headers is an array, which allows remote attackers to execute arbitrary code by providing crafted serialized data with an unexpected data type, related to a "type confusion" issue.

CVSS Score

7.5

HIGH

AV:N/AC:L/Au:N/C:P/I:P/A:P
Confidentiality
PARTIAL
Integrity
PARTIAL
Availability
PARTIAL

Affected Products

VendorProductVersions
RedhatEnterprise Linux Desktop7.0
RedhatEnterprise Linux Hpc Node7.0
RedhatEnterprise Linux Hpc Node Eus7.1
RedhatEnterprise Linux Server7.0
RedhatEnterprise Linux Server Eus7.1
RedhatEnterprise Linux Workstation7.0
AppleMac Os X<= 10.10.4
PhpPhp<= 5.4.38

Related Weaknesses (CWE)

CWE-19

References

FAQ

What is CVE-2015-4147?

CVE-2015-4147 is a vulnerability with a CVSS score of 7.5 (HIGH). The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that __default_headers is an array, which allows remote attackers to ...

How severe is CVE-2015-4147?

CVE-2015-4147 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-4147?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Hpc Node, Redhat Enterprise Linux Hpc Node Eus, Redhat Enterprise Linux Server, Redhat Enterprise Linux Server Eus.