Vulnerability Description
The unpack implementation in Swoole version 4.0.4 lacks correct size checks in the deserialization process. An attacker can craft a serialized object to exploit this vulnerability and cause a SEGV.
CVSS Score
7.5
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Swoole | Swoole | 4.0.4 |
Related Weaknesses (CWE)
References
- https://github.com/swoole/swoole-src/commit/4cdbce5d9bf2fe596bb6acd7d6611f9e8c25PatchVendor Advisory
- https://github.com/swoole/swoole-src/issues/1882Issue TrackingVendor Advisory
- https://x-c3ll.github.io/posts/swoole-deserialization-cve-2018-15503/Technical DescriptionThird Party Advisory
- https://github.com/swoole/swoole-src/commit/4cdbce5d9bf2fe596bb6acd7d6611f9e8c25PatchVendor Advisory
- https://github.com/swoole/swoole-src/issues/1882Issue TrackingVendor Advisory
- https://x-c3ll.github.io/posts/swoole-deserialization-cve-2018-15503/Technical DescriptionThird Party Advisory
FAQ
What is CVE-2018-15503?
CVE-2018-15503 is a vulnerability with a CVSS score of 7.5 (HIGH). The unpack implementation in Swoole version 4.0.4 lacks correct size checks in the deserialization process. An attacker can craft a serialized object to exploit this vulnerability and cause a SEGV.
How severe is CVE-2018-15503?
CVE-2018-15503 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-15503?
Check the references section above for vendor advisories and patch information. Affected products include: Swoole Swoole.