GHSA-229x-22xc-2f2w – zendframework/zendframework1

Package

Manager: composer
Name: zendframework/zendframework1
Vulnerable Version: >=1.0.0 <1.11.13

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Zendframework Local file disclosure via XXE injection in Zend_XmlRpc Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection attacks. The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.

Metadata

Created: 2024-06-07T21:39:43Z
Modified: 2024-06-07T21:39:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-229x-22xc-2f2w/GHSA-229x-22xc-2f2w.json
CWE IDs: ["CWE-611"]
Alternative ID: N/A
Finding: F083
Auto approve: 1