CVE-2015-5723

Published: Jun 7, 2016Modified: May 6, 2026

7.8

Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.

Affected (25)

Products: Zend: Zend Cache, Zend Framework, Zf Apigility Doctrine · Debian: Debian Linux · Doctrine Project: Object Relational Mapper, Doctrinemongodbbundle, Common, Annotations, Mongodb Odm, Cache

Zend

3 products

Zend Cache

Zend Framework

Zf Apigility Doctrine

Debian

1 product

Debian Linux

Doctrine Project

6 products

Object Relational Mapper

Doctrinemongodbbundle

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Zend Zend Cache	Up to 2.4.7
Zend Zend Cache	Version 2.5.0
Zend Zend Cache	Version 2.5.1
Zend Zend Cache	Version 2.5.2

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 7.0
Debian Debian Linux	Version 8.0

Configuration C

7 vulnerable

Vulnerable Software	Affected Versions
Doctrine Project Object Relational Mapper	Up to 2.4.7
Doctrine Project Object Relational Mapper	Version 2.5.0
Doctrine Project Object Relational Mapper	Version 2.5.0 alpha1
Doctrine Project Object Relational Mapper	Version 2.5.0 alpha2
Doctrine Project Object Relational Mapper	Version 2.5.0 beta1
Doctrine Project Object Relational Mapper	Version 2.5.0 rc1
Doctrine Project Object Relational Mapper	Version 2.5.0 rc2

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Doctrine Project Doctrinemongodbbundle	Version 3.0.0

Configuration E

1 vulnerable

Vulnerable Software	Affected Versions
Zend Zend Framework	Up to 2.4.7

Configuration F

3 vulnerable

Vulnerable Software	Affected Versions
Doctrine Project Common	Up to 2.4.2
Doctrine Project Common	Version 2.5.0
Doctrine Project Common	Version 2.5.0 beta1

Configuration G

1 vulnerable

Vulnerable Software	Affected Versions
Doctrine Project Annotations	Up to 1.2.6

Configuration H

1 vulnerable

Vulnerable Software	Affected Versions
Doctrine Project Mongodb Odm	Up to 1.0.1

Configuration I

1 vulnerable

Vulnerable Software	Affected Versions
Zend Zend Framework	Up to 1.12.15

Configuration J

3 vulnerable

Vulnerable Software	Affected Versions
Doctrine Project Cache	Up to 1.3.1
Doctrine Project Cache	Version 1.4.0
Doctrine Project Cache	Version 1.4.1

Configuration K

1 vulnerable

Vulnerable Software	Affected Versions
Zend Zf Apigility Doctrine	Up to 1.0.2

Related CWEs

CWE-264

References (10)

http://framework.zend.com/security/advisory/ZF2015-07

Source: cve@mitre.org

http://www.debian.org/security/2015/dsa-3369

Source: cve@mitre.org

http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html

Source: cve@mitre.org

Vendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/

Source: cve@mitre.org

http://framework.zend.com/security/advisory/ZF2015-07