CVE-2015-5723
First published: Fri Jul 24 2015(Updated: )
Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/doctrine/common | >=2.0.0<2.4.3>=2.5.0<2.5.1 | |
| composer/zfcampus/zf-apigility-doctrine | >=1.0.0<1.0.3 | |
| composer/aws/aws-sdk-php | >=3.0.0<3.2.1 | 3.2.1 |
| composer/doctrine/doctrine-bundle | <1.5.2 | |
| composer/doctrine/cache | >=1.0.0<1.3.2>=1.4.0<1.4.2 | |
| composer/doctrine/mongodb-odm | >=1.0.0<1.0.2 | |
| composer/doctrine/annotations | >=1.0.0<1.2.7 | |
| composer/doctrine/mongodb-odm-bundle | >=2.0.0<3.0.1 | |
| composer/doctrine/orm | >=2.0.0<2.4.8>=2.5.0<2.5.1 | |
| composer/zendframework/zendframework1 | >=1.12.0<1.12.16 | |
| composer/zendframework/zend-cache | >=2.4.0<2.4.8>=2.5.0<2.5.3 | |
| composer/zendframework/zendframework | >=2.4.0<2.4.8 | |
| Zend Zend-cache | <=2.4.7 | |
| Zend Zend-cache | =2.5.0 | |
| Zend Zend-cache | =2.5.1 | |
| Zend Zend-cache | =2.5.2 | |
| Debian Debian Linux | =7.0 | |
| Debian Debian Linux | =8.0 | |
| Doctrine-project Object Relational Mapper | <=2.4.7 | |
| Doctrine-project Object Relational Mapper | =2.5.0 | |
| Doctrine-project Object Relational Mapper | =2.5.0-alpha1 | |
| Doctrine-project Object Relational Mapper | =2.5.0-alpha2 | |
| Doctrine-project Object Relational Mapper | =2.5.0-beta1 | |
| Doctrine-project Object Relational Mapper | =2.5.0-rc1 | |
| Doctrine-project Object Relational Mapper | =2.5.0-rc2 | |
| Doctrine-project Doctrinemongodbbundle | =3.0.0 | |
| Zend Zend Framework | <=2.4.7 | |
| Doctrine-project Common | <=2.4.2 | |
| Doctrine-project Common | =2.5.0 | |
| Doctrine-project Common | =2.5.0-beta1 | |
| Doctrine-project Annotations | <=1.2.6 | |
| Doctrine-project Mongodb-odm | <=1.0.1 | |
| Zend Zend Framework | <=1.12.15 | |
| Doctrine-project Cache | <=1.3.1 | |
| Doctrine-project Cache | =1.4.0 | |
| Doctrine-project Cache | =1.4.1 | |
| Zend Zf-apigility-doctrine | <=1.0.2 | |
| composer/zfcampus/zf-apigility-doctrine | >=1.0.0<1.0.3 | 1.0.3 |
| composer/zendframework/zendframework | >=2.4.0<2.4.8 | 2.4.8 |
| composer/zendframework/zend-cache | >=2.4.0<2.4.8 | 2.4.8 |
| composer/doctrine/cache | >=1.0.0<1.3.2 | 1.3.2 |
| composer/aws/aws-sdk-php | >=3.0.0<3.2.1 | 3.2.1 |
| composer/zendframework/zend-cache | >=2.5.0<2.5.3 | 2.5.3 |
| composer/zendframework/zendframework1 | >=1.12.0<1.12.16 | 1.12.16 |
| composer/doctrine/mongodb-odm-bundle | <3.0.1 | 3.0.1 |
| composer/doctrine/mongodb-odm | <1.0.2 | 1.0.2 |
| composer/doctrine/orm | >=2.5.0<2.5.1 | 2.5.1 |
| composer/doctrine/common | >=2.5.0-stable<2.5.1 | 2.5.1 |
| composer/doctrine/common | <2.4.3 | 2.4.3 |
| composer/doctrine/cache | >=1.4.0<1.4.2 | 1.4.2 |
| composer/doctrine/annotations | <1.2.7 | 1.2.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html
- https://framework.zend.com/security/advisory/ZF2015-07
- https://github.com/aws/aws-sdk-php/releases/tag/3.2.1
- http://framework.zend.com/security/advisory/ZF2015-07
- http://www.debian.org/security/2015/dsa-3369
- http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/
- https://nvd.nist.gov/vuln/detail/CVE-2015-5723
- https://github.com/advisories/GHSA-pw5c-xqf2-6xc2 (Advisory)
- https://github.com/FriendsOfPHP/security-advisories/blob/master/aws/aws-sdk-php/CVE-2015-5723.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/doctrine/cache/CVE-2015-5723.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/doctrine/orm/CVE-2015-5723.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-cache/CVE-2015-5723.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-5723.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-5723.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zfcampus/zf-apigility-doctrine/CVE-2015-5723.yaml
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/
- collector/friends-of-php
- collector/nvd-index
- agent/author
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-pw5c-xqf2-6xc2
- alias/CVE-2015-5723
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/severity
- agent/description
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/composer
- vendor/zend
- canonical/zend zend-cache
- version/zend zend-cache/2.4.7
- version/zend zend-cache/2.5.0
- version/zend zend-cache/2.5.1
- version/zend zend-cache/2.5.2
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- version/debian debian linux/8.0
- vendor/doctrine-project
- canonical/doctrine-project object relational mapper
- version/doctrine-project object relational mapper/2.4.7
- version/doctrine-project object relational mapper/2.5.0
- version/doctrine-project object relational mapper/2.5.0-alpha1
- version/doctrine-project object relational mapper/2.5.0-alpha2
- version/doctrine-project object relational mapper/2.5.0-beta1
- version/doctrine-project object relational mapper/2.5.0-rc1
- version/doctrine-project object relational mapper/2.5.0-rc2
- canonical/doctrine-project doctrinemongodbbundle
- version/doctrine-project doctrinemongodbbundle/3.0.0
- canonical/zend zend framework
- version/zend zend framework/2.4.7
- canonical/doctrine-project common
- version/doctrine-project common/2.4.2
- version/doctrine-project common/2.5.0
- version/doctrine-project common/2.5.0-beta1
- canonical/doctrine-project annotations
- version/doctrine-project annotations/1.2.6
- canonical/doctrine-project mongodb-odm
- version/doctrine-project mongodb-odm/1.0.1
- version/zend zend framework/1.12.15
- canonical/doctrine-project cache
- version/doctrine-project cache/1.3.1
- version/doctrine-project cache/1.4.0
- version/doctrine-project cache/1.4.1
- canonical/zend zf-apigility-doctrine
- version/zend zf-apigility-doctrine/1.0.2