GHSA-fh7r-58q4-6387
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fh7r-58q4-6387
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-fh7r-58q4-6387/GHSA-fh7r-58q4-6387.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fh7r-58q4-6387
- Published
- 2024-06-07T20:55:32Z
- Modified
- 2024-12-04T05:41:23.708118Z
- Severity
-
- 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N CVSS Calculator
- Summary
- Zendframework URL Rewrite vulnerability
- Details
-
zend-diactoros (and, by extension, Expressive), zend-http (and, by extension, Zend Framework MVC projects), and zend-feed (specifically, its PubSubHubbub sub-component) each contain a potential URL rewrite exploit. In each case, marshaling a request URI includes logic that introspects HTTP request headers that are specific to a given server-side URL rewrite mechanism.
When these headers are present on systems not running the specific URL rewriting mechanism, the logic would still trigger, allowing a malicious client or proxy to emulate the headers to request arbitrary content.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-352" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-06-07T20:55:32Z" }- References
Affected packages
Packagist / zendframework/zendframework
Package
- Name
- zendframework/zendframework
- Purl
- pkg:composer/zendframework/zendframework
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.5.0
Affected versions
2.*
2.0.0beta4
2.0.0beta5
2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0rc4
2.0.0rc5
2.0.0rc6
2.0.0rc7
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.2.0rc1
2.2.0rc2
2.2.0rc3
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0rc1
2.4.0rc2
2.4.0rc3
2.4.0rc4
2.4.0rc5
2.4.0rc6
2.4.0rc7
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.4.10
2.4.11
2.4.12
2.4.13