// For flags

CVE-2014-2682

 

Severity Score

6.8
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.

Zend Framework 1 (ZF1) anterior a 1.12.4, Zend Framework 2 anterior a 2.1.6 y 2.2.x anterior a 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, y ZendService_WindowsAzure anterior a 2.0.2, ZendService_Amazon before 2.0.3, y ZendService_Api anterior a 1.0.0, cuando usamos PHP-FPM, no comparte correctamente la configuración entre hilos en libxml_disable_entity_loader, lo que podría permitir a atacantes remotos realizar ataques XXE a través de una declaración de entidad externa de XML junto con una referencia de entidad. NOTA: este fallo existe porque no se solución la CVE-2012-5657.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2014-03-30 CVE Reserved
  • 2014-04-09 CVE Published
  • 2024-06-28 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-19: Data Processing Errors
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Zend
Search vendor "Zend"
Zendrest
Search vendor "Zend" for product "Zendrest"
<= 2.0.1
Search vendor "Zend" for product "Zendrest" and version " <= 2.0.1"
-
Affected
Zend
Search vendor "Zend"
Zend Framework
Search vendor "Zend" for product "Zend Framework"
< 1.12.4
Search vendor "Zend" for product "Zend Framework" and version " < 1.12.4"
-
Affected
Zend
Search vendor "Zend"
Zend Framework
Search vendor "Zend" for product "Zend Framework"
>= 2.1.0 < 2.1.6
Search vendor "Zend" for product "Zend Framework" and version " >= 2.1.0 < 2.1.6"
-
Affected
Zend
Search vendor "Zend"
Zend Framework
Search vendor "Zend" for product "Zend Framework"
>= 2.2.0 < 2.2.6
Search vendor "Zend" for product "Zend Framework" and version " >= 2.2.0 < 2.2.6"
-
Affected
Zend
Search vendor "Zend"
Zendservice Slideshare
Search vendor "Zend" for product "Zendservice Slideshare"
<= 2.0.1
Search vendor "Zend" for product "Zendservice Slideshare" and version " <= 2.0.1"
-
Affected
Zend
Search vendor "Zend"
Zendservice Api
Search vendor "Zend" for product "Zendservice Api"
<= 1.0.0
Search vendor "Zend" for product "Zendservice Api" and version " <= 1.0.0"
-
Affected
Zend
Search vendor "Zend"
Zendservice Audioscrobbler
Search vendor "Zend" for product "Zendservice Audioscrobbler"
<= 2.0.1
Search vendor "Zend" for product "Zendservice Audioscrobbler" and version " <= 2.0.1"
-
Affected
Zend
Search vendor "Zend"
Zendservice Amazon
Search vendor "Zend" for product "Zendservice Amazon"
<= 2.0.2
Search vendor "Zend" for product "Zendservice Amazon" and version " <= 2.0.2"
-
Affected
Zend
Search vendor "Zend"
Zendservice Technorati
Search vendor "Zend" for product "Zendservice Technorati"
<= 2.0.1
Search vendor "Zend" for product "Zendservice Technorati" and version " <= 2.0.1"
-
Affected
Zend
Search vendor "Zend"
Zendservice Windowsazure
Search vendor "Zend" for product "Zendservice Windowsazure"
<= 2.0.1
Search vendor "Zend" for product "Zendservice Windowsazure" and version " <= 2.0.1"
-
Affected
Zend
Search vendor "Zend"
Zendopenid
Search vendor "Zend" for product "Zendopenid"
<= 2.0.1
Search vendor "Zend" for product "Zendopenid" and version " <= 2.0.1"
-
Affected
Zend
Search vendor "Zend"
Zendservice Nirvanix
Search vendor "Zend" for product "Zendservice Nirvanix"
<= 2.0.1
Search vendor "Zend" for product "Zendservice Nirvanix" and version " <= 2.0.1"
-
Affected