Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.
References
Link | Resource |
---|---|
http://framework.zend.com/security/advisory/ZF2012-01 | Vendor Advisory |
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284 | Patch |
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html | Mailing List |
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html | Mailing List |
http://openwall.com/lists/oss-security/2013/03/25/2 | Mailing List |
http://www.debian.org/security/2012/dsa-2505 | Mailing List |
http://www.openwall.com/lists/oss-security/2012/06/26/2 | Mailing List |
http://www.openwall.com/lists/oss-security/2012/06/26/4 | Mailing List |
http://www.openwall.com/lists/oss-security/2012/06/27/2 | Mailing List |
http://www.securitytracker.com/id?1027208 | Broken Link Third Party Advisory VDB Entry |
https://moodle.org/mod/forum/discuss.php?d=225345 | Third Party Advisory |
https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt | Broken Link |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
15 Feb 2024, 03:20
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:zend:zend_framework:1.9.4:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.7.5:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.6.1:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.11.0:rc1:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.0.3:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.9.8:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.8.0:b1:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.11.10:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.7.0:pl1:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.11.0:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.9.2:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.8.5:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.0.0:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.5.0:pr:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.11.3:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.9.7:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.7.0:pr:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.10.0:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.6.2:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.7.6:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.5.2:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.7.9:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.8.0:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.8.4:pl1:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.6.0:rc1:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.10.8:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.5.3:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.9.3:pl1:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.10.9:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.7.1:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.5.0:pl:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.10.6:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.7.8:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.10.1:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.10.0:beta1:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.11.7:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.8.4:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.9.0:b1:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.11.1:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.5.0:rc3:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.0.0:rc3:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.5.0:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.9.5:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.7.7:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.7.3:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.10.0:alpha1:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.10.3:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.8.0:a1:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.0.0:rc2a:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.0.1:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.11.9:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.11.11:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.8.1:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.10.5:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.0.0:rc1:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.6.0:rc2:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.8.2:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.5.0:rc1:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.11.2:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.7.2:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.0.2:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.7.3:pl1:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.5.0:rc2:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.10.7:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.9.0:rc1:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.10.0:rc1:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.7.0:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.9.3:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.7.4:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.0.4:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.6.0:rc3:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.5.1:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.11.8:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.9.1:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.0.0:rc2:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.9.0:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.6.0:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.11.6:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.10.4:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.11.5:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.10.2:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.11.0:b1:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.9.6:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.11.4:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:1.9.0:a1:*:*:*:*:*:* |
cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:* cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:18:*:*:*:*:*:*:* |
CWE | CWE-611 | |
CVSS |
v2 : v3 : |
v2 : 6.4
v3 : 9.1 |
First Time |
Fedoraproject fedora
Fedoraproject Debian Debian debian Linux |
|
References | (SECTRACK) http://www.securitytracker.com/id?1027208 - Broken Link, Third Party Advisory, VDB Entry | |
References | (CONFIRM) http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284 - Patch | |
References | (CONFIRM) http://framework.zend.com/security/advisory/ZF2012-01 - Vendor Advisory | |
References | (FEDORA) http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html - Mailing List | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2012/06/27/2 - Mailing List | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2012/06/26/4 - Mailing List | |
References | (CONFIRM) https://moodle.org/mod/forum/discuss.php?d=225345 - Third Party Advisory | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2012/06/26/2 - Mailing List | |
References | (DEBIAN) http://www.debian.org/security/2012/dsa-2505 - Mailing List | |
References | (MLIST) http://openwall.com/lists/oss-security/2013/03/25/2 - Mailing List | |
References | (FEDORA) http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html - Mailing List | |
References | (MISC) https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt - Broken Link |
Information
Published : 2013-02-13 17:55
Updated : 2024-02-28 12:00
NVD link : CVE-2012-3363
Mitre link : CVE-2012-3363
CVE.ORG link : CVE-2012-3363
JSON object : View
Products Affected
fedoraproject
- fedora
debian
- debian_linux
zend
- zend_framework
CWE
CWE-611
Improper Restriction of XML External Entity Reference