CVE-2014-2681

Mandriva Linux Security Advisory 2014-072

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.

Zend Framework 1 (ZF1) anterior a 1.12.4, Zend Framework 2 anterior a 2.1.6 y 2.2.x anterior a 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, y ZendService_WindowsAzure anterior a 2.0.2, ZendService_Amazon anterior a 2.0.2, ZendService_Amazon anterior a 2.0.3, y ZendService_Api anterior a 1.0.0 permite a atacantes remotos leer ficheros arbitrarios, enviar peticiones HTTP al servidor de una intranet, y posiblemente causar una denegación de servicio (Consumo de CPU y memoria) a través de un ataque XXE por XML. NOTA: este fallo existe porque no se corrigió CVE-2012-5657.

XML eXternal Entity flaws were discovered in the Zend Framework. An attacker could use these flaws to cause a denial of service, access files accessible to the server process, or possibly perform other more advanced XML External Entity attacks. Using the Consumer component of Zend_OpenId, it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework ,. The implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend Framework 1 contains a potential SQL injection when the query string passed contains parentheses. Due to a bug in PHP's LDAP extension, when ZendFramework's Zend_ldap class is used for logins, an attacker can login as any user by using a null byte to bypass the empty password check and perform an unauthenticated LDAP bind. The sqlsrv PHP extension, which provides the ability to connect to Microsoft SQL Server from PHP, does not provide a built-in quoting mechanism for manually quoting values to pass via SQL queries; developers are encouraged to use prepared statements. Zend Framework provides quoting mechanisms via Zend_Db_Adapter_Sqlsrv which uses the recommended double single quote as quoting delimiters. SQL Server treats null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-03-30 CVE Reserved
2014-04-09 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-19: Data Processing Errors

CAPEC

References (6)

URL	Tag	Source
http://advisories.mageia.org/MGASA-2014-0151.html	Third Party Advisory
http://seclists.org/oss-sec/2014/q2/0	Mailing List
http://www.securityfocus.com/bid/66358	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://framework.zend.com/security/advisory/ZF2014-01	2019-07-16
http://www.debian.org/security/2015/dsa-3265	2019-07-16
http://www.mandriva.com/security/advisories?name=MDVSA-2014:072	2019-07-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Zend Search vendor "Zend"		Zendrest Search vendor "Zend" for product "Zendrest"				<= 2.0.1 Search vendor "Zend" for product "Zendrest" and version " <= 2.0.1"		-		Affected
Zend Search vendor "Zend"		Zend Framework Search vendor "Zend" for product "Zend Framework"				< 1.12.4 Search vendor "Zend" for product "Zend Framework" and version " < 1.12.4"		-		Affected
Zend Search vendor "Zend"		Zend Framework Search vendor "Zend" for product "Zend Framework"				>= 2.1.0 < 2.1.6 Search vendor "Zend" for product "Zend Framework" and version " >= 2.1.0 < 2.1.6"		-		Affected
Zend Search vendor "Zend"		Zend Framework Search vendor "Zend" for product "Zend Framework"				>= 2.2.0 < 2.2.6 Search vendor "Zend" for product "Zend Framework" and version " >= 2.2.0 < 2.2.6"		-		Affected
Zend Search vendor "Zend"		Zendservice Slideshare Search vendor "Zend" for product "Zendservice Slideshare"				<= 2.0.1 Search vendor "Zend" for product "Zendservice Slideshare" and version " <= 2.0.1"		-		Affected
Zend Search vendor "Zend"		Zendservice Api Search vendor "Zend" for product "Zendservice Api"				<= 1.0.0 Search vendor "Zend" for product "Zendservice Api" and version " <= 1.0.0"		-		Affected
Zend Search vendor "Zend"		Zendservice Audioscrobbler Search vendor "Zend" for product "Zendservice Audioscrobbler"				<= 2.0.1 Search vendor "Zend" for product "Zendservice Audioscrobbler" and version " <= 2.0.1"		-		Affected
Zend Search vendor "Zend"		Zendservice Amazon Search vendor "Zend" for product "Zendservice Amazon"				<= 2.0.2 Search vendor "Zend" for product "Zendservice Amazon" and version " <= 2.0.2"		-		Affected
Zend Search vendor "Zend"		Zendservice Technorati Search vendor "Zend" for product "Zendservice Technorati"				<= 2.0.1 Search vendor "Zend" for product "Zendservice Technorati" and version " <= 2.0.1"		-		Affected
Zend Search vendor "Zend"		Zendservice Windowsazure Search vendor "Zend" for product "Zendservice Windowsazure"				<= 2.0.1 Search vendor "Zend" for product "Zendservice Windowsazure" and version " <= 2.0.1"		-		Affected
Zend Search vendor "Zend"		Zendopenid Search vendor "Zend" for product "Zendopenid"				<= 2.0.1 Search vendor "Zend" for product "Zendopenid" and version " <= 2.0.1"		-		Affected
Zend Search vendor "Zend"		Zendservice Nirvanix Search vendor "Zend" for product "Zendservice Nirvanix"				<= 2.0.1 Search vendor "Zend" for product "Zendservice Nirvanix" and version " <= 2.0.1"		-		Affected