Description
The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call.
Remediation
References
Related Vulnerabilities
Liferay DXP Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2022-42129)
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-4400)
OpenSSL Access of Resource Using Incompatible Type ('Type Confusion') Vulnerability (CVE-2023-0286)
Oracle Application Server CVE-2008-2619 Vulnerability (CVE-2008-2619)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-4284)