Vulnerability identifier: #VU43093
Vulnerability risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Zend Framework
Server applications /
Frameworks for developing and running applications
Vendor: Zend
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Zend Framework: 1.0.0 - 1.12.0
External links
https://framework.zend.com/security/advisory/ZF2012-01
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284
https://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html
https://openwall.com/lists/oss-security/2013/03/25/2
https://www.debian.org/security/2012/dsa-2505
https://www.openwall.com/lists/oss-security/2012/06/26/2
https://www.openwall.com/lists/oss-security/2012/06/26/4
https://www.openwall.com/lists/oss-security/2012/06/27/2
https://www.securitytracker.com/id?1027208
https://moodle.org/mod/forum/discuss.php?d=225345
https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.