CVE-2015-6837
Publication date 9 September 2015
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation during initial error checking, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6838.
Status
Package | Ubuntu Release | Status |
---|---|---|
php5 | ||
14.04 LTS trusty |
Fixed 5.5.9+dfsg-1ubuntu4.13
|
|
Notes
Patch details
Package | Patch details |
---|---|
php5 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 · High |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-2758-1
- PHP vulnerabilities
- 30 September 2015