CVE-2012-5657Sensitive Information Exposure in Framework

CWE-200Sensitive Information ExposureCWE-611XML External Entity (XXE) InjectionCWE-776XML Entity Expansion17 documents5 sources
Severity
6.8MEDIUMNVD
NVD6.4NVD5.0CNA5.0GHSA5.0OSV5.0
EPSS
0.7%
top 27.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
20
Zend FrameworkZendframework Zendframework1Zendframework Zendopenid+17 more
Timeline
PublishedMay 2
Latest updateMay 17

Description

The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages20 packages

🔴Vulnerability Details

10
OSV
Zend Framework XXE Vulnerability2022-05-17
GHSA
Zend Framework XXE Vulnerability2022-05-17
GHSA
Several Zend Products Vulnerable to XXE and XEE attacks2022-05-14
OSV
Several Zend Products Vulnerable to XXE and XEE attacks2022-05-14
OSV
Several Zend Products Vulnerable to XXE and XEE attacks2022-05-14

💬Community

4
Bugzilla
CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 php-ZendFramework: XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws fixed in 1.12.4, 2.1.6, and 2.2.6 (ZF2014-01)2014-03-27
Bugzilla
CVE-2012-5657 php-ZendFramework: information disclosure flaw due to error when processing XML data [fedora-all]2012-12-20
Bugzilla
CVE-2012-5657 php-ZendFramework: information disclosure flaw due to error when processing XML data [epel-6]2012-12-20
Bugzilla
CVE-2012-5657 php-ZendFramework: information disclosure flaw due to error when processing XML data2012-12-20
CVE-2012-5657 — Sensitive Information Exposure | cvebase