CVE-2015-5723

Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 28%
VendorProductVersion
zendzend-cache
𝑥
≤ 2.4.7
zendzend-cache
2.5.0
zendzend-cache
2.5.1
zendzend-cache
2.5.2
debiandebian_linux
7.0
debiandebian_linux
8.0
doctrine-projectobject_relational_mapper
𝑥
≤ 2.4.7
doctrine-projectobject_relational_mapper
2.5.0
doctrine-projectobject_relational_mapper
2.5.0:alpha1
doctrine-projectobject_relational_mapper
2.5.0:alpha2
doctrine-projectobject_relational_mapper
2.5.0:beta1
doctrine-projectobject_relational_mapper
2.5.0:rc1
doctrine-projectobject_relational_mapper
2.5.0:rc2
doctrine-projectdoctrinemongodbbundle
3.0.0
zendzend_framework
𝑥
≤ 2.4.7
doctrine-projectcommon
𝑥
≤ 2.4.2
doctrine-projectcommon
2.5.0
doctrine-projectcommon
2.5.0:beta1
doctrine-projectannotations
𝑥
≤ 1.2.6
doctrine-projectmongodb-odm
𝑥
≤ 1.0.1
zendzend_framework
𝑥
≤ 1.12.15
doctrine-projectcache
𝑥
≤ 1.3.1
doctrine-projectcache
1.4.0
doctrine-projectcache
1.4.1
zendzf-apigility-doctrine
𝑥
≤ 1.0.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
doctrine
bullseye
2.8.1+dfsg-3
fixed
wheezy
no-dsa
squeeze
not-affected
bookworm
2.14.1+dfsg-1
fixed
sid
2.20.0+dfsg-1
fixed
trixie
2.20.0+dfsg-1
fixed
php-doctrine-annotations
bullseye
1.11.2-1+deb11u1
fixed
wheezy
no-dsa
squeeze
not-affected
bookworm
2.0.1-1+deb12u1
fixed
sid
2.0.2-1
fixed
trixie
2.0.2-1
fixed
php-doctrine-bundle
bullseye
2.2.3-1
fixed
wheezy
no-dsa
squeeze
not-affected
php-doctrine-cache
bullseye
1.10.2-2
fixed
wheezy
no-dsa
squeeze
not-affected
bookworm
2.2.0-1
fixed
sid
2.2.0-4
fixed
trixie
2.2.0-4
fixed
php-doctrine-common
bullseye
3.1.1-1
fixed
wheezy
no-dsa
squeeze
not-affected
bookworm
3.4.3-1
fixed
sid
3.4.5-1
fixed
trixie
3.4.5-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
doctrine
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
ignored
zesty
ignored
yakkety
ignored
xenial
not-affected
wily
ignored
vivid
ignored
trusty
dne
precise
ignored
php-doctrine-annotations
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
ignored
zesty
ignored
yakkety
ignored
xenial
not-affected
wily
ignored
vivid
ignored
trusty
dne
precise
dne
php-doctrine-cache
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
ignored
zesty
ignored
yakkety
ignored
xenial
not-affected
wily
ignored
vivid
ignored
trusty
dne
precise
dne
php-doctrine-common
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
ignored
zesty
ignored
yakkety
ignored
xenial
not-affected
wily
ignored
vivid
ignored
trusty
dne
precise
dne
Common Weakness Enumeration
References
http://framework.zend.com/security/advisory/ZF2015-07
http://www.debian.org/security/2015/dsa-3369
http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/
http://framework.zend.com/security/advisory/ZF2015-07
http://www.debian.org/security/2015/dsa-3369
http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/