CVE-2014-8684
critical
CVSS v3
9.8
CVSS v2
7.5
VIR risk
9.8
Description
CodeIgniter and Kohana vulnerable to PHP Object Injection
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | codeigniter/framework | <3.0.0 | 3.0.0 |
| Packagist | kohana/core | <3.3.3 | 3.3.3 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| codeigniter | codeigniter | {"endIncluding":"2.2.6"} | |
| kohanaframework | kohana | 3.2.3 | |
| kohanaframework | kohana | 3.3.0 | |
| kohanaframework | kohana | 3.3.1 | |
References
- http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html
- http://seclists.org/fulldisclosure/2014/May/54
- https://github.com/kohana/core/pull/492
- https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection
- https://nvd.nist.gov/vuln/detail/CVE-2014-8684
- https://github.com/kohana/core/commit/66b409a6da2960130888989534ff1799532b8f32
- https://github.com/bcit-ci/CodeIgniter/blob/2.2.6/system/libraries/Session.php#L159
- https://web.archive.org/web/20140802041151/https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection
CWEs
CWE-310
Verify integrity in audit chain (admin only). AS-IS.