Vulnerability Details : CVE-2010-2225
Use-after-free vulnerability in the SplObjectStorage unserializer in PHP 5.2.x and 5.3.x through 5.3.2 allows remote attackers to execute arbitrary code or obtain sensitive information via serialized data, related to the PHP unserialize function.
Vulnerability category: Memory CorruptionExecute code
Threat overview for CVE-2010-2225
Top countries where our scanners detected CVE-2010-2225
Top open port discovered on systems with this issue
80
IPs affected by CVE-2010-2225 25,336
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2010-2225!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2010-2225
Probability of exploitation activity in the next 30 days: 4.47%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 91 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2010-2225
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2010-2225
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-2225
-
http://marc.info/?l=bugtraq&m=133469208622507&w=2
'[security bulletin] HPSBOV02763 SSRT100826 rev.1 - HP Secure Web Server (SWS) for OpenVMS running PH' - MARC
-
http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00000.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:018
-
http://twitter.com/i0n1c/statuses/16447867829
Stefan Esser on Twitter: "The 0-day I showed at SyScan Singapore was a use-after-free vulnerability in PHP's unserialize().Unserializing user input==remote code exec."
-
http://lists.apple.com/archives/security-announce/2010//Aug/msg00003.html
Apple - Lists.apple.com
-
https://bugzilla.redhat.com/show_bug.cgi?id=605641
605641 – (CVE-2010-2225, MOPS-2010-061) CVE-2010-2225 php: SplObjectStorage unserialization flaws (MOPS-2010-061)
-
http://www.debian.org/security/2010/dsa-2089
Debian -- Security Information -- DSA-2089-1 php5
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/59610
PHP SplObjectStorage class unserialize() code execution CVE-2010-2225 Vulnerability Report
-
http://twitter.com/i0n1c/statuses/16373156076
Stefan Esser on Twitter: "Teaser for my talk tomorrow about a 0-day in PHP at #SyScan Singapore 2010 - http://pastebin.com/mXGidCsd"
-
http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:017
-
http://support.apple.com/kb/HT4312
About Security Update 2010-005 - Apple Support
-
http://www.securityfocus.com/bid/40948
PHP 'SplObjectStorage' Unserializer Arbitrary Code Execution Vulnerability
-
http://pastebin.com/mXGidCsd
SyScan 2010 - PHP 0-day - Pastebin.comExploit
Products affected by CVE-2010-2225
- cpe:2.3:a:php:php:5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.2:*:*:*:*:*:*:*