CVE-2014-2497
UnknownEPSS 22.32%
Last modified
CVE-2014-2497 is a vulnerability of currently unknown severity. The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file.. EPSS estimates a 22.32% chance of exploitation in the next 30 days.
Description
The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Php | Php | < 5.4.32 | — |
| Php | Php | >= 5.5.0, < 5.5.16 | — |
| Canonical | Ubuntu Linux | 12.04 | — |
| Canonical | Ubuntu Linux | 14.04 | — |
| Canonical | Ubuntu Linux | 15.10 | — |
| Canonical | Ubuntu Linux | 16.04 | — |
| Suse | Linux Enterprise Server | 11 | Sp2 |
| Suse | Linux Enterprise Software Development Kit | 11 | Sp3 |
| Redhat | Enterprise Linux Desktop | 6.0 | — |
| Redhat | Enterprise Linux Desktop | 7.0 | — |
| Redhat | Enterprise Linux Eus | 6.5 | — |
| Redhat | Enterprise Linux Eus | 7.3 | — |
| Redhat | Enterprise Linux Eus | 7.4 | — |
| Redhat | Enterprise Linux Eus | 7.5 | — |
| Redhat | Enterprise Linux Eus | 7.6 | — |
| Redhat | Enterprise Linux Eus | 7.7 | — |
| Redhat | Enterprise Linux Server | 6.0 | — |
| Redhat | Enterprise Linux Server | 7.0 | — |
| Redhat | Enterprise Linux Server Aus | 6.5 | — |
| Redhat | Enterprise Linux Server Aus | 7.3 | — |
| Redhat | Enterprise Linux Server Aus | 7.6 | — |
| Redhat | Enterprise Linux Server Tus | 6.5 | — |
| Redhat | Enterprise Linux Server Tus | 7.3 | — |
| Redhat | Enterprise Linux Server Tus | 7.6 | — |
| Redhat | Enterprise Linux Server Tus | 7.7 | — |
| Redhat | Enterprise Linux Workstation | 6.0 | — |
| Redhat | Enterprise Linux Workstation | 7.0 | — |
| Debian | Debian Linux | 7.0 | — |
| Debian | Debian Linux | 8.0 | — |
| Oracle | Solaris | 11.2 | — |
References
- http://advisories.mageia.org/MGASA-2014-0288.htmlThird Party Advisory
- http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlBroken Link, Mailing List
- http://lists.opensuse.org/opensuse-security-announce/2014-07/msg00001.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2014-07/msg00002.htmlMailing List, Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2014-1326.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2014-1327.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2014-1765.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2014-1766.htmlThird Party Advisory
- http://secunia.com/advisories/59061Not Applicable
- http://secunia.com/advisories/59418Not Applicable
- http://secunia.com/advisories/59496Not Applicable
- http://secunia.com/advisories/59652Not Applicable
- http://www.debian.org/security/2015/dsa-3215Third Party Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlThird Party Advisory
- http://www.securityfocus.com/bid/66233Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-2987-1Third Party Advisory
- https://bugs.php.net/bug.php?id=66901Exploit, Issue Tracking, Patch, Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1076676Issue Tracking, Patch, Third Party Advisory
- https://security.gentoo.org/glsa/201607-04Third Party Advisory
- https://support.apple.com/HT204659Third Party Advisory
- http://advisories.mageia.org/MGASA-2014-0288.htmlThird Party Advisory
- http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlBroken Link, Mailing List
- http://lists.opensuse.org/opensuse-security-announce/2014-07/msg00001.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2014-07/msg00002.htmlMailing List, Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2014-1326.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2014-1327.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2014-1765.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2014-1766.htmlThird Party Advisory
- http://secunia.com/advisories/59061Not Applicable
- http://secunia.com/advisories/59418Not Applicable
- http://secunia.com/advisories/59496Not Applicable
- http://secunia.com/advisories/59652Not Applicable
- http://www.debian.org/security/2015/dsa-3215Third Party Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlThird Party Advisory
- http://www.securityfocus.com/bid/66233Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-2987-1Third Party Advisory
- https://bugs.php.net/bug.php?id=66901Exploit, Issue Tracking, Patch, Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1076676Issue Tracking, Patch, Third Party Advisory
- https://security.gentoo.org/glsa/201607-04Third Party Advisory
- https://support.apple.com/HT204659Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2014-2497?
The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file.
How severe is CVE-2014-2497?
Severity scoring for CVE-2014-2497 is pending analysis. The EPSS model estimates a 22.32% probability of exploitation in the next 30 days.
How do I fix CVE-2014-2497?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2014-2497?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST