GHSA-gp39-h9c2-qw79
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gp39-h9c2-qw79
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gp39-h9c2-qw79/GHSA-gp39-h9c2-qw79.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gp39-h9c2-qw79
- Aliases
-
- CVE-2014-2682
- Published
- 2022-05-14T00:56:24Z
- Modified
- 2024-12-07T05:42:49.016631Z
- Summary
- Several Zend Products Vulnerable to XXE and XEE attacks
- Details
-
Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendServiceAudioScrobbler, ZendServiceNirvanix, ZendServiceSlideShare, ZendServiceTechnorati, and ZendServiceWindowsAzure before 2.0.2, ZendServiceAmazon before 2.0.3, and ZendServiceApi before 1.0.0, when PHP-FPM is used, does not properly share the libxmldisableentityloader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.
- Database specific
{ "nvd_published_at": "2014-11-16T00:59:00Z", "cwe_ids": [ "CWE-611", "CWE-776" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-09-25T14:47:31Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2014-2682
- https://web.archive.org/web/20140419041226/http://www.securityfocus.com/bid/66358
- https://web.archive.org/web/20150523055201/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:072/?name=MDVSA-2014:072
- http://advisories.mageia.org/MGASA-2014-0151.html
- http://framework.zend.com/security/advisory/ZF2014-01
- http://seclists.org/oss-sec/2014/q2/0
- http://www.debian.org/security/2015/dsa-3265
Affected packages
Packagist / zendframework/zendframework1
Package
- Name
- zendframework/zendframework1
- Purl
- pkg:composer/zendframework/zendframework1
Packagist / zendframework/zendopenid
Package
- Name
- zendframework/zendopenid
- Purl
- pkg:composer/zendframework/zendopenid
Packagist / zendframework/zendrest
Package
- Name
- zendframework/zendrest
- Purl
- pkg:composer/zendframework/zendrest
Packagist / zendframework/zendservice-audioscrobbler
Package
- Name
- zendframework/zendservice-audioscrobbler
- Purl
- pkg:composer/zendframework/zendservice-audioscrobbler
Packagist / zendframework/zendservice-nirvanix
Package
- Name
- zendframework/zendservice-nirvanix
- Purl
- pkg:composer/zendframework/zendservice-nirvanix
Packagist / zendframework/zendservice-slideshare
Package
- Name
- zendframework/zendservice-slideshare
- Purl
- pkg:composer/zendframework/zendservice-slideshare
Packagist / zendframework/zendservice-technorati
Package
- Name
- zendframework/zendservice-technorati
- Purl
- pkg:composer/zendframework/zendservice-technorati
Packagist / zendframework/zendservice-windowsazure
Package
- Name
- zendframework/zendservice-windowsazure
- Purl
- pkg:composer/zendframework/zendservice-windowsazure
Packagist / zendframework/zendservice-amazon
Package
- Name
- zendframework/zendservice-amazon
- Purl
- pkg:composer/zendframework/zendservice-amazon
Packagist / zendframework/zendservice-api
Package
- Name
- zendframework/zendservice-api
- Purl
- pkg:composer/zendframework/zendservice-api