GHSA-gp39-h9c2-qw79

Suggest an improvement
Source
https://github.com/advisories/GHSA-gp39-h9c2-qw79
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gp39-h9c2-qw79/GHSA-gp39-h9c2-qw79.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-gp39-h9c2-qw79
Aliases
  • CVE-2014-2682
Published
2022-05-14T00:56:24Z
Modified
2024-12-07T05:42:49.016631Z
Summary
Several Zend Products Vulnerable to XXE and XEE attacks
Details

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendServiceAudioScrobbler, ZendServiceNirvanix, ZendServiceSlideShare, ZendServiceTechnorati, and ZendServiceWindowsAzure before 2.0.2, ZendServiceAmazon before 2.0.3, and ZendServiceApi before 1.0.0, when PHP-FPM is used, does not properly share the libxmldisableentityloader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.

Database specific 
{
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-611",
        "CWE-776"
    ],
    "github_reviewed_at": "2023-09-25T14:47:31Z",
    "nvd_published_at": "2014-11-16T00:59:00Z"
}
References

Affected packages

Packagist

zendframework/zendframework1

Package

Name
zendframework/zendframework1
Purl
pkg:composer/zendframework/zendframework1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.12.4

Affected versions

1.*

1.12.0
1.12.1
1.12.2
1.12.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gp39-h9c2-qw79/GHSA-gp39-h9c2-qw79.json"

zendframework/zendopenid

Package

Name
zendframework/zendopenid
Purl
pkg:composer/zendframework/zendopenid

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.2

Affected versions

2.*

2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0rc4
2.0.0rc5
2.0.0rc6
2.0.0rc7
2.0.0
2.0.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gp39-h9c2-qw79/GHSA-gp39-h9c2-qw79.json"

zendframework/zendrest

Package

Name
zendframework/zendrest
Purl
pkg:composer/zendframework/zendrest

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.2

Affected versions

2.*

2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0rc4
2.0.0rc5
2.0.0rc6
2.0.0rc7
2.0.0
2.0.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gp39-h9c2-qw79/GHSA-gp39-h9c2-qw79.json"

zendframework/zendservice-audioscrobbler

Package

Name
zendframework/zendservice-audioscrobbler
Purl
pkg:composer/zendframework/zendservice-audioscrobbler

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.2

Affected versions

2.*

2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0rc4
2.0.0rc5
2.0.0rc6
2.0.0rc7
2.0.0
2.0.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gp39-h9c2-qw79/GHSA-gp39-h9c2-qw79.json"

zendframework/zendservice-nirvanix

Package

Name
zendframework/zendservice-nirvanix
Purl
pkg:composer/zendframework/zendservice-nirvanix

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.2

Affected versions

2.*

2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0rc4
2.0.0rc5
2.0.0rc6
2.0.0rc7
2.0.0
2.0.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gp39-h9c2-qw79/GHSA-gp39-h9c2-qw79.json"

zendframework/zendservice-slideshare

Package

Name
zendframework/zendservice-slideshare
Purl
pkg:composer/zendframework/zendservice-slideshare

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.2

Affected versions

2.*

2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0rc4
2.0.0rc5
2.0.0rc6
2.0.0rc7
2.0.0
2.0.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gp39-h9c2-qw79/GHSA-gp39-h9c2-qw79.json"

zendframework/zendservice-technorati

Package

Name
zendframework/zendservice-technorati
Purl
pkg:composer/zendframework/zendservice-technorati

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.2

Affected versions

2.*

2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0rc4
2.0.0rc5
2.0.0rc6
2.0.0rc7
2.0.0
2.0.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gp39-h9c2-qw79/GHSA-gp39-h9c2-qw79.json"

zendframework/zendservice-windowsazure

Package

Name
zendframework/zendservice-windowsazure
Purl
pkg:composer/zendframework/zendservice-windowsazure

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.2

Affected versions

2.*

2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0rc4
2.0.0rc5
2.0.0rc6
2.0.0rc7
2.0.0
2.0.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gp39-h9c2-qw79/GHSA-gp39-h9c2-qw79.json"

zendframework/zendservice-amazon

Package

Name
zendframework/zendservice-amazon
Purl
pkg:composer/zendframework/zendservice-amazon

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.3

Affected versions

2.*

2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0rc4
2.0.0rc5
2.0.0rc6
2.0.0rc7
2.0.0
2.0.1
2.0.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gp39-h9c2-qw79/GHSA-gp39-h9c2-qw79.json"

zendframework/zendservice-api

Package

Name
zendframework/zendservice-api
Purl
pkg:composer/zendframework/zendservice-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.0

Affected versions

1.*

1.0.0beta1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gp39-h9c2-qw79/GHSA-gp39-h9c2-qw79.json"