CVE-2014-2682
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.
Zend Framework 1 (ZF1) anterior a 1.12.4, Zend Framework 2 anterior a 2.1.6 y 2.2.x anterior a 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, y ZendService_WindowsAzure anterior a 2.0.2, ZendService_Amazon before 2.0.3, y ZendService_Api anterior a 1.0.0, cuando usamos PHP-FPM, no comparte correctamente la configuración entre hilos en libxml_disable_entity_loader, lo que podría permitir a atacantes remotos realizar ataques XXE a través de una declaración de entidad externa de XML junto con una referencia de entidad. NOTA: este fallo existe porque no se solución la CVE-2012-5657.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-03-30 CVE Reserved
- 2014-04-09 CVE Published
- 2024-06-28 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-19: Data Processing Errors
CAPEC
References (6)
URL | Tag | Source |
---|---|---|
http://advisories.mageia.org/MGASA-2014-0151.html | Third Party Advisory | |
http://seclists.org/oss-sec/2014/q2/0 | Mailing List | |
http://www.securityfocus.com/bid/66358 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://framework.zend.com/security/advisory/ZF2014-01 | 2019-07-16 | |
http://www.debian.org/security/2015/dsa-3265 | 2019-07-16 | |
http://www.mandriva.com/security/advisories?name=MDVSA-2014:072 | 2019-07-16 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Zend Search vendor "Zend" | Zendrest Search vendor "Zend" for product "Zendrest" | <= 2.0.1 Search vendor "Zend" for product "Zendrest" and version " <= 2.0.1" | - |
Affected
| ||||||
Zend Search vendor "Zend" | Zend Framework Search vendor "Zend" for product "Zend Framework" | < 1.12.4 Search vendor "Zend" for product "Zend Framework" and version " < 1.12.4" | - |
Affected
| ||||||
Zend Search vendor "Zend" | Zend Framework Search vendor "Zend" for product "Zend Framework" | >= 2.1.0 < 2.1.6 Search vendor "Zend" for product "Zend Framework" and version " >= 2.1.0 < 2.1.6" | - |
Affected
| ||||||
Zend Search vendor "Zend" | Zend Framework Search vendor "Zend" for product "Zend Framework" | >= 2.2.0 < 2.2.6 Search vendor "Zend" for product "Zend Framework" and version " >= 2.2.0 < 2.2.6" | - |
Affected
| ||||||
Zend Search vendor "Zend" | Zendservice Slideshare Search vendor "Zend" for product "Zendservice Slideshare" | <= 2.0.1 Search vendor "Zend" for product "Zendservice Slideshare" and version " <= 2.0.1" | - |
Affected
| ||||||
Zend Search vendor "Zend" | Zendservice Api Search vendor "Zend" for product "Zendservice Api" | <= 1.0.0 Search vendor "Zend" for product "Zendservice Api" and version " <= 1.0.0" | - |
Affected
| ||||||
Zend Search vendor "Zend" | Zendservice Audioscrobbler Search vendor "Zend" for product "Zendservice Audioscrobbler" | <= 2.0.1 Search vendor "Zend" for product "Zendservice Audioscrobbler" and version " <= 2.0.1" | - |
Affected
| ||||||
Zend Search vendor "Zend" | Zendservice Amazon Search vendor "Zend" for product "Zendservice Amazon" | <= 2.0.2 Search vendor "Zend" for product "Zendservice Amazon" and version " <= 2.0.2" | - |
Affected
| ||||||
Zend Search vendor "Zend" | Zendservice Technorati Search vendor "Zend" for product "Zendservice Technorati" | <= 2.0.1 Search vendor "Zend" for product "Zendservice Technorati" and version " <= 2.0.1" | - |
Affected
| ||||||
Zend Search vendor "Zend" | Zendservice Windowsazure Search vendor "Zend" for product "Zendservice Windowsazure" | <= 2.0.1 Search vendor "Zend" for product "Zendservice Windowsazure" and version " <= 2.0.1" | - |
Affected
| ||||||
Zend Search vendor "Zend" | Zendopenid Search vendor "Zend" for product "Zendopenid" | <= 2.0.1 Search vendor "Zend" for product "Zendopenid" and version " <= 2.0.1" | - |
Affected
| ||||||
Zend Search vendor "Zend" | Zendservice Nirvanix Search vendor "Zend" for product "Zendservice Nirvanix" | <= 2.0.1 Search vendor "Zend" for product "Zendservice Nirvanix" and version " <= 2.0.1" | - |
Affected
|