Fluid Attacks Database

Description

ZendXml and Zend Framework contain XXE and XEE Vulnerabilities The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	zendframework/zendxml	>=1.0.0 <1.0.1	1.0.1
packagist	zendframework/zendframework	>=2.0.0 <2.4.6 \|\| >=2.5.0 <2.5.2 \|\| >=1.12.0 <1.12.14	2.4.6, 2.5.2, 1.12.14
packagist	zendframework/zendframework1	>=1.12.0 <1.12.14	1.12.14

Aliases

1. CVE-2015-51612. NVD-2015-51613. OSV-2015-51614. GCVE-2015-5161

References

1. https://github.com/zendframework/zf1/issues/3932. https://github.com/zendframework/ZendXml/commit/79f478fa2af85ce1fc18ac132dee5aa714c3b5323. https://github.com/zendframework/zf1/commit/ff7edddf1410b44b5ead857c02698aad9f748d1b4. https://framework.zend.com/security/advisory/ZF2015-065. https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-5161.yaml6. https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-5161.yaml7. https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendxml/CVE-2015-5161.yaml8. https://web.archive.org/web/20200228055156/http://www.securityfocus.com/bid/761779. https://www.exploit-db.com/exploits/3776510. http://framework.zend.com/security/advisory/ZF2015-0611. http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt12. http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.html13. http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.html14. http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.html15. http://packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.html16. http://seclists.org/fulldisclosure/2015/Aug/4617. http://www.debian.org/security/2015/dsa-334018. http://www.securityfocus.com/bid/76177

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.