Vulnerability Description
Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zend | Zend-Cache | <= 2.4.7 |
| Debian | Debian Linux | 7.0 |
| Doctrine-Project | Object Relational Mapper | <= 2.4.7 |
| Doctrine-Project | Doctrinemongodbbundle | 3.0.0 |
| Zend | Zend Framework | <= 2.4.7 |
| Doctrine-Project | Common | <= 2.4.2 |
| Doctrine-Project | Annotations | <= 1.2.6 |
| Doctrine-Project | Mongodb-Odm | <= 1.0.1 |
| Doctrine-Project | Cache | <= 1.3.1 |
| Zend | Zf-Apigility-Doctrine | <= 1.0.2 |
Related Weaknesses (CWE)
References
- http://framework.zend.com/security/advisory/ZF2015-07
- http://www.debian.org/security/2015/dsa-3369
- http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerabiliVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- http://framework.zend.com/security/advisory/ZF2015-07
- http://www.debian.org/security/2015/dsa-3369
- http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerabiliVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2015-5723?
CVE-2015-5723 is a vulnerability with a CVSS score of 7.8 (HIGH). Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ...
How severe is CVE-2015-5723?
CVE-2015-5723 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-5723?
Check the references section above for vendor advisories and patch information. Affected products include: Zend Zend-Cache, Debian Debian Linux, Doctrine-Project Object Relational Mapper, Doctrine-Project Doctrinemongodbbundle, Zend Zend Framework.