Several Zend Products Vulnerable to XXE and XEE attacks

Description

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Not specified
Published (advisory)
2022-05-14 00:56:24 UTC
Updated
2023-09-25 14:47:32 UTC
GitHub reviewed
2023-09-25 14:47:31 UTC
NVD published
2014-11-15

EPSS Score

Score Percentile
1.83% 82.57%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-611 Improper Restriction of XML External Entity Reference
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Affected packages (10)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer zendframework/zendframework1 < 1.12.4 1.12.4
composer zendframework/zendopenid < 2.0.2 2.0.2
composer zendframework/zendrest < 2.0.2 2.0.2
composer zendframework/zendservice-audioscrobbler < 2.0.2 2.0.2
composer zendframework/zendservice-nirvanix < 2.0.2 2.0.2
composer zendframework/zendservice-slideshare < 2.0.2 2.0.2
composer zendframework/zendservice-technorati < 2.0.2 2.0.2
composer zendframework/zendservice-windowsazure < 2.0.2 2.0.2
composer zendframework/zendservice-amazon < 2.0.3 2.0.3
composer zendframework/zendservice-api < 1.0.0 1.0.0

References

cvelogic Threat Intelligence