CVE-2012-3363
published 2013-02-13CVE-2012-3363: Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to…
PriorityP278critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
50.25%
98.8th percentile
Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.
Affected
63 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP POST requests to XML-RPC endpoints containing a DOCTYPE element with an external entity reference (XXE payload) targeting local files or TCP connections. ↗
- →Look for XML-RPC POST requests whose body contains both a DOCTYPE declaration and an entity reference (e.g., &xxe;) — the canonical XXE injection pattern used against Zend_XmlRpc. ↗
- →Flag absence of libxml_disable_entity_loader() call before SimpleXMLElement instantiation in PHP code as a vulnerable code pattern for this CVE. ↗
- →Monitor for XML-RPC requests to Moodle web services endpoints that carry DOCTYPE/external entity payloads, as Moodle's bundled Zend library is also affected. ↗
- ·The vulnerability affects both the XML-RPC server and client code paths; detection/patching must cover both Request.php and Response.php, not just the server-side handler. ↗
- ·Older Zend Framework branches (prior to 1.11.x and 1.12.x) are also affected but will not receive official fixes; environments running those branches require manual remediation or upgrade. ↗
- ·Any third-party software that bundles or depends on the Zend XmlRpc package inherits this vulnerability and must be patched independently (e.g., Moodle). ↗
- ·CVE-2012-3363 is distinct from CVE-2012-6531, which covers Zend_Dom, Zend_Feed, and Zend_Soap; both CVEs share the same XXE root cause but affect different components. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Zend Framework XXE Vulnerability
ghsa·2022-05-17
CVE-2012-3363 [HIGH] CWE-611 Zend Framework XXE Vulnerability
Zend Framework XXE Vulnerability
`Zend_XmlRpc` in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle `SimpleXMLElement` classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.
OSV
Zend Framework XXE Vulnerability
osv·2022-05-17
CVE-2012-3363 [HIGH] Zend Framework XXE Vulnerability
Zend Framework XXE Vulnerability
`Zend_XmlRpc` in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle `SimpleXMLElement` classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.
GHSA
Zend Framework XEE Vulnerability
ghsa·2022-05-17·CVSS 9.1
CVE-2012-6531 [CRITICAL] CWE-776 Zend Framework XEE Vulnerability
Zend Framework XEE Vulnerability
(1) `Zend_Dom`, (2) `Zend_Feed`, and (3) `Zend_Soap` in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 do not properly handle SimpleXMLElement classes, which allow remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack, a different vulnerability than CVE-2012-3363.
OSV
Zend Framework XEE Vulnerability
osv·2022-05-17·CVSS 9.1
CVE-2012-6531 [CRITICAL] Zend Framework XEE Vulnerability
Zend Framework XEE Vulnerability
(1) `Zend_Dom`, (2) `Zend_Feed`, and (3) `Zend_Soap` in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 do not properly handle SimpleXMLElement classes, which allow remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack, a different vulnerability than CVE-2012-3363.
OSV
CVE-2012-3363: Zend_XmlRpc in Zend Framework 1
osv·2013-02-13·CVSS 9.1
CVE-2012-3363 [CRITICAL] CVE-2012-3363: Zend_XmlRpc in Zend Framework 1
Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.
OSV
CVE-2012-6531: (1) Zend_Dom, (2) Zend_Feed, and (3) Zend_Soap in Zend Framework 1
osv·2013-02-13·CVSS 9.1
CVE-2012-6531 [CRITICAL] CVE-2012-6531: (1) Zend_Dom, (2) Zend_Feed, and (3) Zend_Soap in Zend Framework 1
(1) Zend_Dom, (2) Zend_Feed, and (3) Zend_Soap in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 do not properly handle SimpleXMLElement classes, which allow remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack, a different vulnerability than CVE-2012-3363.
No detection rules found.
Bugzilla
CVE-2012-3363 moodle: XXE via Zend library (MSA-13-0016)
bugzilla·2013-03-25·CVSS 9.1
CVE-2012-3363 [CRITICAL] CVE-2012-3363 moodle: XXE via Zend library (MSA-13-0016)
CVE-2012-3363 moodle: XXE via Zend library (MSA-13-0016)
An information disclosure flaw was found in the way XML RPC interface of web services of Moodle, a course management system, performed loading of certain XML files. A remote attacker (valid Moodle user) could use this flaw to obtain sensitive information (certain server files).
References:
[1] http://www.openwall.com/lists/oss-security/2013/03/25/2
Relevant upstream patch:
[2] http://git.moodle.org/gw?p=moodle.git;a=commit;h=dfe203c12e4fdb4696b59928f90bb06cb1d8b9a7
Discussion:
This issue affects the versions of the moodle package, as shipped with Fedora release of 18, 17, and Fedora EPEL-6. Please schedule an update.
--
This issue did NOT affect the version of the moodle package, as shipped with Fedora EPEL-5.
---
Created mo
Bugzilla
CVE-2013-1830 CVE-2013-1831 CVE-2013-1832 CVE-2013-1833 CVE-2012-3363 CVE-2013-1834 CVE-2013-1835 CVE-2013-1836 moodle various flaws [fedora-17]
bugzilla·2013-03-25·CVSS 9.1
CVE-2013-1830 [CRITICAL] CVE-2013-1830 CVE-2013-1831 CVE-2013-1832 CVE-2013-1833 CVE-2012-3363 CVE-2013-1834 CVE-2013-1835 CVE-2013-1836 moodle various flaws [fedora-17]
CVE-2013-1830 CVE-2013-1831 CVE-2013-1832 CVE-2013-1833 CVE-2012-3363 CVE-2013-1834 CVE-2013-1835 CVE-2013-1836 moodle various flaws [fedora-17]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and
Bugzilla
CVE-2013-1830 CVE-2013-1831 CVE-2013-1832 CVE-2013-1833 CVE-2012-3363 CVE-2013-1834 CVE-2013-1835 CVE-2013-1836 moodle various flaws [fedora-18]
bugzilla·2013-03-25·CVSS 9.1
CVE-2013-1830 [CRITICAL] CVE-2013-1830 CVE-2013-1831 CVE-2013-1832 CVE-2013-1833 CVE-2012-3363 CVE-2013-1834 CVE-2013-1835 CVE-2013-1836 moodle various flaws [fedora-18]
CVE-2013-1830 CVE-2013-1831 CVE-2013-1832 CVE-2013-1833 CVE-2012-3363 CVE-2013-1834 CVE-2013-1835 CVE-2013-1836 moodle various flaws [fedora-18]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and
Bugzilla
CVE-2013-1830 CVE-2013-1831 CVE-2013-1832 CVE-2013-1833 CVE-2012-3363 CVE-2013-1834 CVE-2013-1835 CVE-2013-1836 moodle various flaws [epel-6]
bugzilla·2013-03-25·CVSS 9.1
CVE-2013-1830 [CRITICAL] CVE-2013-1830 CVE-2013-1831 CVE-2013-1832 CVE-2013-1833 CVE-2012-3363 CVE-2013-1834 CVE-2013-1835 CVE-2013-1836 moodle various flaws [epel-6]
CVE-2013-1830 CVE-2013-1831 CVE-2013-1832 CVE-2013-1833 CVE-2012-3363 CVE-2013-1834 CVE-2013-1835 CVE-2013-1836 moodle various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog a
Bugzilla
CVE-2012-3363 php-ZendFramework: File disclosure via XXE injection in Zend_XMLRPC (ZF2012-01)
bugzilla·2012-06-26·CVSS 9.1
CVE-2012-3363 [CRITICAL] CVE-2012-3363 php-ZendFramework: File disclosure via XXE injection in Zend_XMLRPC (ZF2012-01)
CVE-2012-3363 php-ZendFramework: File disclosure via XXE injection in Zend_XMLRPC (ZF2012-01)
A file disclosure flaw was found in the way SimpleXMLElement class of Zend Framework, a PHP framework, processed XML data provided within certain XML-RPC requests (external XML entities were previously possible to specify by adding a specific DOCTYPE element to particular XML-RPC request). A remote attacker could use this flaw to obtain sensitive information by issuing a specially-crafted XML-RPC request to the Zend Framework based PHP application.
References:
[1] http://framework.zend.com/security/advisory/ZF2012-01
[2] http://www.openwall.com/lists/oss-security/2012/06/26/2
[3] https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt
[4] https://secunia.com/advisories/4966
Bugzilla
CVE-2012-3363 php-ZendFramework: Local file disclosure via XXE injection in Zend_XMLRPC (ZF2012-01) [epel-6]
bugzilla·2012-06-26·CVSS 9.1
CVE-2012-3363 [CRITICAL] CVE-2012-3363 php-ZendFramework: Local file disclosure via XXE injection in Zend_XMLRPC (ZF2012-01) [epel-6]
CVE-2012-3363 php-ZendFramework: Local file disclosure via XXE injection in Zend_XMLRPC (ZF2012-01) [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraprojec
Bugzilla
CVE-2012-3363 php-ZendFramework: Local file disclosure via XXE injection in Zend_XMLRPC (ZF2012-01) [fedora-all]
bugzilla·2012-06-26·CVSS 9.1
CVE-2012-3363 [CRITICAL] CVE-2012-3363 php-ZendFramework: Local file disclosure via XXE injection in Zend_XMLRPC (ZF2012-01) [fedora-all]
CVE-2012-3363 php-ZendFramework: Local file disclosure via XXE injection in Zend_XMLRPC (ZF2012-01) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedorapr
http://framework.zend.com/security/advisory/ZF2012-01http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.htmlhttp://openwall.com/lists/oss-security/2013/03/25/2http://www.debian.org/security/2012/dsa-2505http://www.openwall.com/lists/oss-security/2012/06/26/2http://www.openwall.com/lists/oss-security/2012/06/26/4http://www.openwall.com/lists/oss-security/2012/06/27/2http://www.securitytracker.com/id?1027208https://moodle.org/mod/forum/discuss.php?d=225345https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txthttp://framework.zend.com/security/advisory/ZF2012-01http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.htmlhttp://openwall.com/lists/oss-security/2013/03/25/2http://www.debian.org/security/2012/dsa-2505http://www.openwall.com/lists/oss-security/2012/06/26/2http://www.openwall.com/lists/oss-security/2012/06/26/4http://www.openwall.com/lists/oss-security/2012/06/27/2http://www.securitytracker.com/id?1027208https://moodle.org/mod/forum/discuss.php?d=225345https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt
2013-02-13
Published