#VU40663 Input validation error in Zend Framework - CVE-2015-5161

Cybersecurity Help s.r.o.

Published: 2015-08-25 | Updated: 2020-08-09

Vulnerability identifier: #VU40663

Vulnerability risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2015-5161

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Zend Framework
Server applications / Frameworks for developing and running applications

Vendor: Zend

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. <a href="http://cwe.mitre.org/data/definitions/611.html">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>

Mitigation
Install update from vendor's website.

Vulnerable software versions

Zend Framework: 1.0.0 - 2.5.1

External links
https://framework.zend.com/security/advisory/ZF2015-06
https://legalhackers.com/advisories/zend-framework-XXE-vuln.txt
https://lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.html
https://packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.html
https://seclists.org/fulldisclosure/2015/Aug/46
https://www.debian.org/security/2015/dsa-3340
https://www.securityfocus.com/bid/76177
https://www.exploit-db.com/exploits/37765/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Fedora EPEL 7 update for php-ZendFramework2, php-guzzle-Guzzle

Multiple vulnerabilities in Zend Framework

Fedora 21 update for php-ZendFramework2, php-guzzle-Guzzle

Fedora 22 update for php-ZendFramework2, php-guzzle-Guzzle

Fedora 23 update for php-ZendFramework2, php-guzzle-Guzzle