CVE-2012-5657
published 2013-05-02CVE-2012-5657: The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to…
PriorityP428medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
1.70%
74.4th percentile
The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack.
Affected
39 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zend | zend_framework | < 1.12.4 | 1.12.4 |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | >= 2.1.0 < 2.1.6 | 2.1.6 |
| zend | zend_framework | >= 2.2.0 < 2.2.6 | 2.2.6 |
| zend | zendopenid | <= 2.0.1 | — |
| zend | zendrest | <= 2.0.1 | — |
| zend | zendservice_amazon | <= 2.0.2 | — |
| zend | zendservice_api | <= 1.0.0 | — |
| zend | zendservice_audioscrobbler | <= 2.0.1 | — |
| zend | zendservice_nirvanix | <= 2.0.1 | — |
| zend | zendservice_slideshare | <= 2.0.1 | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa5.0MEDIUM
osv5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Zend Framework XXE Vulnerability
osv·2022-05-17
CVE-2012-5657 [MEDIUM] Zend Framework XXE Vulnerability
Zend Framework XXE Vulnerability
The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack.
GHSA
Zend Framework XXE Vulnerability
ghsa·2022-05-17
CVE-2012-5657 [MEDIUM] CWE-200 Zend Framework XXE Vulnerability
Zend Framework XXE Vulnerability
The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack.
GHSA
Several Zend Products Vulnerable to XXE and XEE attacks
ghsa·2022-05-14·CVSS 5.0
CVE-2014-2681 [MEDIUM] CWE-611 Several Zend Products Vulnerable to XXE and XEE attacks
Several Zend Products Vulnerable to XXE and XEE attacks
Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.
OSV
Several Zend Products Vulnerable to XXE and XEE attacks
osv·2022-05-14·CVSS 5.0
CVE-2014-2681 [MEDIUM] Several Zend Products Vulnerable to XXE and XEE attacks
Several Zend Products Vulnerable to XXE and XEE attacks
Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.
OSV
Several Zend Products Vulnerable to XXE and XEE attacks
osv·2022-05-14·CVSS 5.0
CVE-2014-2682 [MEDIUM] Several Zend Products Vulnerable to XXE and XEE attacks
Several Zend Products Vulnerable to XXE and XEE attacks
Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.
GHSA
Several Zend Products Vulnerable to XXE and XEE attacks
ghsa·2022-05-14·CVSS 5.0
CVE-2014-2682 [MEDIUM] CWE-611 Several Zend Products Vulnerable to XXE and XEE attacks
Several Zend Products Vulnerable to XXE and XEE attacks
Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.
OSV
CVE-2012-5657: The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1
osv·2013-05-02·CVSS 5.0
CVE-2012-5657 [MEDIUM] CVE-2012-5657: The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1
The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 php-ZendFramework: XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws fixed in 1.12.4, 2.1.6, and 2.2.6 (ZF2014-01)
bugzilla·2014-03-27·CVSS 5.0
CVE-2014-2681 [MEDIUM] CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 php-ZendFramework: XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws fixed in 1.12.4, 2.1.6, and 2.2.6 (ZF2014-01)
CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 php-ZendFramework: XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws fixed in 1.12.4, 2.1.6, and 2.2.6 (ZF2014-01)
XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were discovered in the Zend Framework. An attacker could use these flaws to cause a denial of service, access files accessible to the server process, or possibly perform other more advanced XML External Entity (XXE) attacks.
These issues have been fixed in versions 1.12.4, 2.1.6, and 2.2.6.
External References:
http://framework.zend.com/security/advisory/ZF2014-01
Discussion:
Created php-ZendFramework2 tracking bugs for this issue:
Affects: fedora-all [bug 1081291]
Affects: epel-6 [bug 1081293]
---
Created php-ZendFramework tracking bugs for this issue
Bugzilla
CVE-2012-5657 php-ZendFramework: information disclosure flaw due to error when processing XML data [fedora-all]
bugzilla·2012-12-20·CVSS 5.0
CVE-2012-5657 [MEDIUM] CVE-2012-5657 php-ZendFramework: information disclosure flaw due to error when processing XML data [fedora-all]
CVE-2012-5657 php-ZendFramework: information disclosure flaw due to error when processing XML data [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when avail
Bugzilla
CVE-2012-5657 php-ZendFramework: information disclosure flaw due to error when processing XML data [epel-6]
bugzilla·2012-12-20·CVSS 5.0
CVE-2012-5657 [MEDIUM] CVE-2012-5657 php-ZendFramework: information disclosure flaw due to error when processing XML data [epel-6]
CVE-2012-5657 php-ZendFramework: information disclosure flaw due to error when processing XML data [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when avai
Bugzilla
CVE-2012-5657 php-ZendFramework: information disclosure flaw due to error when processing XML data
bugzilla·2012-12-20·CVSS 5.0
CVE-2012-5657 [MEDIUM] CVE-2012-5657 php-ZendFramework: information disclosure flaw due to error when processing XML data
CVE-2012-5657 php-ZendFramework: information disclosure flaw due to error when processing XML data
A vulnerability was reported in Zend Framework versions prior to 1.11.15 and 1.12.1, which can be exploited to disclose certain sensitive information. This flaw is caused due to an error in the "Zend_Feed_Rss" and "Zend_Feed_Atom" classes of the "Zend_Feed" component, when processing XML data. It can be used to disclose the contents of certain local files by sending specially crafted XML data including external entity references.
External References:
http://framework.zend.com/security/advisory/ZF2012-05
Discussion:
Created php-ZendFramework tracking bugs for this issue
Affects: fedora-all [bug 889038]
Affects: epel-6 [bug 889039]
---
The CVE identifier of CVE-2012-5657 has been assig
http://framework.zend.com/security/advisory/ZF2012-05http://openwall.com/lists/oss-security/2012/12/20/2http://openwall.com/lists/oss-security/2012/12/20/4http://secunia.com/advisories/51583http://www.debian.org/security/2012/dsa-2602http://www.mandriva.com/security/advisories?name=MDVSA-2013:115http://framework.zend.com/security/advisory/ZF2012-05http://openwall.com/lists/oss-security/2012/12/20/2http://openwall.com/lists/oss-security/2012/12/20/4http://secunia.com/advisories/51583http://www.debian.org/security/2012/dsa-2602http://www.mandriva.com/security/advisories?name=MDVSA-2013:115
2013-05-02
Published