Several Zend Products Vulnerable to XXE and XEE attacks

2022-05-1400:56:24

CWE-611

CWE-776

GitHub Advisory Database

github.com

zend framework

vulnerable

xxe attacks

xee attacks

php-fpm

libxml_disable_entity_loader

incomplete fix

remote attackers

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.006

Percentile

78.6%

JSON

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.

Affected configurations

Vulners

Node

zendframeworkzendservice-apiRange<1.0.0

zendframeworkzendservice-amazonRange<2.0.3

zendframeworkzendservice-windowsazureRange<2.0.2

zendframeworkzendservice-technoratiRange<2.0.2

zendframeworkzendservice-slideshareRange<2.0.2

zendframeworkzendservice-nirvanixRange<2.0.2

zendframeworkzendservice-audioscrobblerRange<2.0.2

zendframeworkzendrestRange<2.0.2

zendframeworkzendopenidRange<2.0.2

zendframeworkzendframework1Range<1.12.4

VendorProductVersionCPE
zendframeworkzendservice-api*cpe:2.3:a:zendframework:zendservice-api:*:*:*:*:*:*:*:*
zendframeworkzendservice-amazon*cpe:2.3:a:zendframework:zendservice-amazon:*:*:*:*:*:*:*:*
zendframeworkzendservice-windowsazure*cpe:2.3:a:zendframework:zendservice-windowsazure:*:*:*:*:*:*:*:*
zendframeworkzendservice-technorati*cpe:2.3:a:zendframework:zendservice-technorati:*:*:*:*:*:*:*:*
zendframeworkzendservice-slideshare*cpe:2.3:a:zendframework:zendservice-slideshare:*:*:*:*:*:*:*:*
zendframeworkzendservice-nirvanix*cpe:2.3:a:zendframework:zendservice-nirvanix:*:*:*:*:*:*:*:*
zendframeworkzendservice-audioscrobbler*cpe:2.3:a:zendframework:zendservice-audioscrobbler:*:*:*:*:*:*:*:*
zendframeworkzendrest*cpe:2.3:a:zendframework:zendrest:*:*:*:*:*:*:*:*
zendframeworkzendopenid*cpe:2.3:a:zendframework:zendopenid:*:*:*:*:*:*:*:*
zendframeworkzendframework1*cpe:2.3:a:zendframework:zendframework1:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
zendframework	zendservice-api	*	cpe:2.3:a:zendframework:zendservice-api::::::::
zendframework	zendservice-amazon	*	cpe:2.3:a:zendframework:zendservice-amazon::::::::
zendframework	zendservice-windowsazure	*	cpe:2.3:a:zendframework:zendservice-windowsazure::::::::
zendframework	zendservice-technorati	*	cpe:2.3:a:zendframework:zendservice-technorati::::::::
zendframework	zendservice-slideshare	*	cpe:2.3:a:zendframework:zendservice-slideshare::::::::
zendframework	zendservice-nirvanix	*	cpe:2.3:a:zendframework:zendservice-nirvanix::::::::
zendframework	zendservice-audioscrobbler	*	cpe:2.3:a:zendframework:zendservice-audioscrobbler::::::::
zendframework	zendrest	*	cpe:2.3:a:zendframework:zendrest::::::::
zendframework	zendopenid	*	cpe:2.3:a:zendframework:zendopenid::::::::
zendframework	zendframework1	*	cpe:2.3:a:zendframework:zendframework1::::::::