CVE-2014-2682 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2014-2682

CVE-2014-2682

November 16, 2014

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.

Affected Packages

zendframework/zendservice-api (PHP):

Affected version(s) >=release-1.0.0beta1 <1.0.0

Fix Suggestion:

Update to version 1.0.0

zendframework/zendframework1 (PHP):

Affected version(s) >=release-1.12.0 <1.12.4

Fix Suggestion:

Update to version 1.12.4

zendframework/zendservice-audioscrobbler (PHP):

Affected version(s) >=release-2.0.0rc1 <2.0.2

Fix Suggestion:

Update to version 2.0.2

zendframework/zendservice-slideshare (PHP):

Affected version(s) >=release-2.0.0rc1 <2.0.2

Fix Suggestion:

Update to version 2.0.2

zendframework/zendservice-technorati (PHP):

Affected version(s) >=release-2.0.0rc1 <2.0.2

Fix Suggestion:

Update to version 2.0.2

zendframework/zendservice-amazon (PHP):

Affected version(s) >=release-2.0.0rc1 <2.0.3

Fix Suggestion:

Update to version 2.0.3

zendframework/zendrest (PHP):

Affected version(s) >=release-2.0.0rc1 <2.0.2

Fix Suggestion:

Update to version 2.0.2

zendframework/zendservice-windowsazure (PHP):

Affected version(s) >=release-2.0.0rc1 <2.0.2

Fix Suggestion:

Update to version 2.0.2

zendframework/zendservice-nirvanix (PHP):

Affected version(s) >=release-2.0.0rc1 <2.0.2

Fix Suggestion:

Update to version 2.0.2

zendframework/zendopenid (PHP):

Affected version(s) >=release-2.0.0rc1 <2.0.2

Fix Suggestion:

Update to version 2.0.2

Related Resources (9)

http://seclists.org/oss-sec/2014/q2/0

http://www.debian.org/security/2015/dsa-3265

https://web.archive.org/web/20150523055201/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:072/?name=MDVSA-2014:072

http://advisories.mageia.org/MGASA-2014-0151.html

http://www.mandriva.com/security/advisories?name=MDVSA-2014:072

https://nvd.nist.gov/vuln/detail/CVE-2014-2682

https://web.archive.org/web/20140419041226/http://www.securityfocus.com/bid/66358

http://framework.zend.com/security/advisory/ZF2014-01

http://www.securityfocus.com/bid/66358

Do you need more information?

CVSS v4

Base Score:

6.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

LOW

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

5.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

CVSS v2

Base Score:

6.8

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

Weakness Type (CWE)

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CWE-776

Improper Restriction of XML External Entity Reference

CWE-611

EPSS

Base Score:

1.83

Products

Solutions

Resources

Company

Compare

Developer Tools