GHSA-xp8p-9rq5-4wgv

Source

https://github.com/advisories/GHSA-xp8p-9rq5-4wgv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xp8p-9rq5-4wgv/GHSA-xp8p-9rq5-4wgv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xp8p-9rq5-4wgv

Aliases

CVE-2015-5161

Published

2022-05-17T03:16:37Z

Modified

2024-12-04T05:40:31.935654Z

Summary

ZendXml and Zend Framework contain XXE and XEE Vulnerabilities

Details

The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.

Database specific

{
    "nvd_published_at": "2015-08-25T17:59:00Z",
    "cwe_ids": [
        "CWE-611",
        "CWE-776"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-03T21:53:46Z"
}

References

Affected packages

Packagist / zendframework/zendframework

Package

Name: zendframework/zendframework
Purl: pkg:composer/zendframework/zendframework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.4.6

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.2.0rc1

2.2.0rc2

2.2.0rc3

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.4.0rc1

2.4.0rc2

2.4.0rc3

2.4.0rc4

2.4.0rc5

2.4.0rc6

2.4.0rc7

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

Packagist / zendframework/zendframework

Package

Name: zendframework/zendframework
Purl: pkg:composer/zendframework/zendframework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.5.0

Fixed

2.5.2

Affected versions

2.*

2.5.0

2.5.1

Packagist / zendframework/zendframework1

Package

Name: zendframework/zendframework1
Purl: pkg:composer/zendframework/zendframework1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.12.0

Fixed

1.12.14

Affected versions

1.*

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

1.12.5

1.12.6

1.12.7

1.12.8

1.12.9

1.12.10

1.12.11

1.12.12

1.12.13

Packagist / zendframework/zendxml

Package

Name: zendframework/zendxml
Purl: pkg:composer/zendframework/zendxml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.0.1

Affected versions

1.*

1.0.0

Packagist / zendframework/zendframework

Package

Name: zendframework/zendframework
Purl: pkg:composer/zendframework/zendframework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.12.0

Fixed

1.12.14