Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value.
Vector
NETWORK
Complexity
LOW
Authentication
NONE
Confidentiality
PARTIAL
Integrity
PARTIAL
Availability
PARTIAL
Php Php 5.5.16 (not an official CPE)
PHP 5.4.9
Php Php 5.5.15 (not an official CPE)
PHP 5.5.14
PHP 5.4.7
PHP 5.5.13
PHP 5.4.8
PHP 5.4.27
PHP 5.4.28
PHP 5.4.29
PHP 5.5.0
PHP 5.5.1
PHP 5.4.30
Php Php 5.4.31 (not an official CPE)
Php Php 5.4.32 (not an official CPE)
Php Php 5.4.33 (not an official CPE)
PHP 5.4.12 release candidate 2
PHP 5.4.13 release candidate 1
PHP 5.4.17
PHP 5.4.16 release candidate 1
PHP 5.4.18
PHP 5.4.19
PHP 5.4.14 release candidate 1
PHP 5.4.12 release candidate 1
PHP 5.4.15 release candidate 1
PHP 5.5.4
PHP 5.5.5
PHP 5.4.20
PHP 5.5.2
PHP 5.4.21
PHP 5.5.3
PHP 5.4.22
PHP 5.5.8
PHP 5.4.23
PHP 5.5.9
PHP 5.4.24
PHP 5.5.6
PHP 5.4.25
PHP 5.5.7
PHP 5.4.26
Php Php 5.5.17 (not an official CPE)
PHP 5.5.0 alpha5
PHP 5.5.0 alpha6
PHP 5.5.0 alpha3
PHP 5.5.0 release candidate 2
PHP 5.5.0 alpha4
PHP 5.5.0 release candidate 1
PHP 5.5.0 alpha1
PHP 5.5.0 alpha2
PHP 5.4.1
Php Php 5.6.0 (not an official CPE)
PHP 5.4.2
PHP 5.4.0
PHP 5.4.10
PHP 5.4.11
PHP 5.4.12
PHP 5.4.13
PHP 5.4.14
PHP 5.4.4
PHP 5.4.3
PHP 5.5.10
Php Php 5.6.1 (not an official CPE)
PHP 5.4.6
PHP 5.5.11
PHP 5.4.5
PHP 5.5.12
PHP 5.5.0 beta2
PHP 5.5.0 beta1
PHP 5.5.0 beta4
PHP 5.5.0 beta3