CVE-2018-15503

{"id": "CVE-2018-15503", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2018-08-18T02:29:01.903", "references": [{"url": "https://github.com/swoole/swoole-src/commit/4cdbce5d9bf2fe596bb6acd7d6611f9e8c253a76", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/swoole/swoole-src/issues/1882", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://x-c3ll.github.io/posts/swoole-deserialization-cve-2018-15503/", "tags": ["Technical Description", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "The unpack implementation in Swoole version 4.0.4 lacks correct size checks in the deserialization process. An attacker can craft a serialized object to exploit this vulnerability and cause a SEGV."}, {"lang": "es", "value": "La implementaci\u00f3n de desempaquetado en la versi\u00f3n 4.0.4 de Swoole carece de controles de tama\u00f1o correctos en el proceso de deserializaci\u00f3n. Un atacante puede crear un objeto serializado para explotar esta vulnerabilidad y provocar un SEGV."}], "lastModified": "2018-11-08T20:49:48.653", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:swoole:swoole:4.0.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93EF17F5-CCB3-4CB8-AFE3-706C531F3B1F"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}