Lucene search

[email protected]NVD:CVE-2021-3007

HistoryJan 04, 2021 - 3:15 a.m.

CVE-2021-3007

2021-01-0403:15:13

CWE-502

[email protected]

web.nvd.nist.gov

laminas project

deserialization

remote code execution

zend framework

php language

vendor

type checking

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.044

Percentile

92.5%

JSON

Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a “vulnerability in the PHP language itself” but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized

Affected configurations

Nvd

Node

getlaminaslaminas-httpRange<2.14.2

zendzend_frameworkMatch3.0.0

VendorProductVersionCPE
getlaminaslaminas-http*cpe:2.3:a:getlaminas:laminas-http:*:*:*:*:*:*:*:*
zendzend_framework3.0.0cpe:2.3:a:zend:zend_framework:3.0.0:*:*:*:*:*:*:*