GHSA-2jx7-xg83-j2m7 – zendframework/zendframework1

Package

Manager: composer
Name: zendframework/zendframework1
Vulnerable Version: >=1.0.0 <1.11.13

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Zendframework Denial of Service vector via XEE injection `Zend_Dom`, `Zend_Feed`, `Zend_Soap`, and `Zend_XmlRpc` are vulnerable to XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.

Metadata

Created: 2024-06-07T21:39:23Z
Modified: 2024-06-07T21:39:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-2jx7-xg83-j2m7/GHSA-2jx7-xg83-j2m7.json
CWE IDs: ["CWE-776"]
Alternative ID: N/A
Finding: F083
Auto approve: 1