#VU43093 Input validation error in Zend Framework - CVE-2012-3363


| Updated: 2020-08-11

Vulnerability identifier: #VU43093

Vulnerability risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2012-3363

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Zend Framework
Server applications / Frameworks for developing and running applications

Vendor: Zend

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Zend Framework: 1.0.0 - 1.12.0


External links
https://framework.zend.com/security/advisory/ZF2012-01
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284
https://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html
https://openwall.com/lists/oss-security/2013/03/25/2
https://www.debian.org/security/2012/dsa-2505
https://www.openwall.com/lists/oss-security/2012/06/26/2
https://www.openwall.com/lists/oss-security/2012/06/26/4
https://www.openwall.com/lists/oss-security/2012/06/27/2
https://www.securitytracker.com/id?1027208
https://moodle.org/mod/forum/discuss.php?d=225345
https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability