CVE-2018-15503

HIGH

Swoole - Insecure Deserialization

Title source: rule

Description

The unpack implementation in Swoole version 4.0.4 lacks correct size checks in the deserialization process. An attacker can craft a serialized object to exploit this vulnerability and cause a SEGV.

Exploits (1)

github WORKING POC 11 stars

by X-C3LL · pythonpoc

https://github.com/X-C3LL/PoC-CVEs/tree/master/CVE-2018-15503

View Code ZIP pw:eip

References (3)

[Patch, Vendor Advisory] https://github.com/swoole/swoole-src/commit/4cdbce5d9bf2fe596bb6acd7d6611f9e8c253a76

View Patch ZIP pw:eip

[Issue Tracking, Vendor Advisory] https://github.com/swoole/swoole-src/issues/1882

[Technical Description, Third Party Advisory] https://x-c3ll.github.io/posts/swoole-deserialization-cve-2018-15503/

Scores

CVSS v3 7.5

EPSS 0.0146

EPSS Percentile 80.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

swoole/swoole

Timeline

Published Aug 18, 2018

Tracked Since Feb 18, 2026