VDB
CVE-2014-4721
CVE-2014-4721
PUBLISHED
The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php.
EPSS 9.89% · 93.1th percentile
Risk Scores
EPSS Score
9.89%
93.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:14.04:LTS | php5 | 0, 5.5.3+dfsg-1ubuntu3, 5.5.6+dfsg-1ubuntu1 |
Timeline
- Jul 6, 2014 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 17, 2025 EPSS Score
- May 1, 2025 EPSS Score
- May 4, 2025 EPSS Score
- Jun 1, 2025 EPSS Score
- Jun 4, 2025 EPSS Score
- Jul 1, 2025 EPSS Score
- Jul 4, 2025 EPSS Score
- Jul 30, 2025 EPSS Score
- Aug 1, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2014-4721 third-party-advisory
- https://www.sektioneins.de/en/blog/14-07-04-phpinfo-infoleak.html third-party-advisory
- https://ubuntu.com/security/notices/USN-2276-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2014-4721 third-party-advisory