Fluid Attacks Database

Description

Zend Access Restriction Bypass The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	zendframework/zendframework	>=2.0.0 <2.0.99 \|\| >=2.1.0 <2.1.99 \|\| >=2.2.0 <2.2.8 \|\| >=2.3.0 <2.3.3	2.0.99, 2.1.99, 2.2.8, 2.3.3
packagist	zendframework/zendframework1	>=1.12.0 <1.12.9	1.12.9
packagist	zendframework/zend-ldap	>=2.0.0 <2.0.99 \|\| >=2.1.0 <2.1.99 \|\| >=2.2.0 <2.2.8 \|\| >=2.3.0 <2.3.3	2.2.8, 2.3.3

Aliases

1. CVE-2014-80882. NVD-2014-80883. OSV-2014-80884. GCVE-2014-8088

References

1. https://github.com/zendframework/zendframework/commit/a4222a6c1dc809f0f32fdafcd1ac4d583a075f2f2. https://exchange.xforce.ibmcloud.com/vulnerabilities/970383. https://framework.zend.com/security/advisory/ZF2014-054. https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2014-8088.yaml5. https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2014-8088.yaml6. http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141070.html7. http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141106.html8. http://www.debian.org/security/2015/dsa-32659. http://www.openwall.com/lists/oss-security/2014/10/10/510. http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html11. http://www.securityfocus.com/bid/70378

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.