GHSA-2jx7-xg83-j2m7

Suggest an improvement
Source
https://github.com/advisories/GHSA-2jx7-xg83-j2m7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-2jx7-xg83-j2m7/GHSA-2jx7-xg83-j2m7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2jx7-xg83-j2m7
Published
2024-06-07T21:39:23Z
Modified
2024-06-07T21:39:23Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Zendframework Denial of Service vector via XEE injection
Details

Zend_Dom, Zend_Feed, Zend_Soap, and Zend_XmlRpc are vulnerable to XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-776"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T21:39:23Z"
}
References

Affected packages

Packagist / zendframework/zendframework1

Package

Name
zendframework/zendframework1
Purl
pkg:composer/zendframework/zendframework1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.11.13