GHSA-f6p5-76fp-m248
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f6p5-76fp-m248
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-f6p5-76fp-m248/GHSA-f6p5-76fp-m248.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f6p5-76fp-m248
- Published
- 2022-04-28T21:09:54Z
- Modified
- 2024-11-28T05:40:52.931974Z
- Summary
- URL Rewrite vulnerability in multiple zendframework components
- Details
-
zend-diactoros (and, by extension, Expressive), zend-http (and, by extension, Zend Framework MVC projects), and zend-feed (specifically, its PubSubHubbub sub-component) each contain a potential URL rewrite exploit. In each case, marshaling a request URI includes logic that introspects HTTP request headers that are specific to a given server-side URL rewrite mechanism.
When these headers are present on systems not running the specific URL rewriting mechanism, the logic would still trigger, allowing a malicious client or proxy to emulate the headers to request arbitrary content.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-04-28T21:09:54Z" }- References
-
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-diactoros/ZF2018-01.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-feed/ZF2018-01.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-http/ZF2018-01.yaml
Affected packages
Packagist / zendframework/zend-diactoros
Package
- Name
- zendframework/zend-diactoros
- Purl
- pkg:composer/zendframework/zend-diactoros
Packagist / zendframework/zend-feed
Package
- Name
- zendframework/zend-feed
- Purl
- pkg:composer/zendframework/zend-feed
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.10.3
Affected versions
2.*
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.2.0rc1
2.2.0rc2
2.2.0rc3
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0rc1
2.4.0rc2
2.4.0rc3
2.4.0rc4
2.4.0rc5
2.4.0rc6
2.4.0rc7
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.4.10
2.4.11
2.4.12
2.4.13
2.5.0
2.5.1
2.5.2
2.6.0
2.7.0
2.8.0
2.9.0
2.9.1
2.10.0
2.10.1
2.10.2
Packagist / zendframework/zend-http
Package
- Name
- zendframework/zend-http
- Purl
- pkg:composer/zendframework/zend-http
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.8.1
Affected versions
2.*
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.2.0rc1
2.2.0rc2
2.2.0rc3
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0rc1
2.4.0rc2
2.4.0rc3
2.4.0rc4
2.4.0rc5
2.4.0rc6
2.4.0rc7
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.4.10
2.4.11
2.4.12
2.4.13
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.6.0
2.7.0
2.8.0