VDB
CVE-2014-9652
CVE-2014-9652
PUBLISHED
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file.
EPSS 6.91% · 91.6th percentile
Risk Scores
EPSS Score
6.91%
91.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:14.04:LTS | php5 | *, 5.5.9+dfsg-1ubuntu3, 5.5.9+dfsg-1ubuntu4 |
| Ubuntu:14.04:LTS | file | 5.11-2ubuntu4, 1:5.14-2ubuntu2, 1:5.14-2ubuntu3 |
Exploit Intelligence
- PHP 5.4.45 is Outdated and Full of Preformance Interupting Arbitrary Code Execution Bugs (hackerone)
- PHP 5.4.45 is Outdated and Full of Preformance Interupting Arbitrary Code Execution Bugs (hackerone)
- PHP 5.4.45 is Outdated and Full of Preformance Interupting Arbitrary Code Execution Bugs (hackerone)
Timeline
- CVE Published
- Aug 21, 2017 PoC Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 3, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 8, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
- May 25, 2023 EPSS Score
- Sep 7, 2023 EPSS Score
- Oct 29, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2014-9652 third-party-advisory
- https://ubuntu.com/security/notices/USN-2501-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2014-9652 third-party-advisory