CVE-2013-1643
published 2013-03-06CVE-2013-1643: The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external…
PriorityP336medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
10.14%
95.1th percentile
The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-1824.
Affected
126 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | <= 5.3.21 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g625-6qfm-gm8r: The SOAP parser in PHP before 5
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2013-1643 [MEDIUM] CWE-200 GHSA-g625-6qfm-gm8r: The SOAP parser in PHP before 5
The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-1824.
Ubuntu
PHP vulnerability
vendor_ubuntu·2013-03-13
CVE-2013-1643 PHP vulnerability
Title: PHP vulnerability
Summary: PHP could be made to expose sensitive information over the network.
It was discovered that PHP incorrectly handled XML external entities in
SOAP WSDL files. A remote attacker could use this flaw to read arbitrary
files off the server.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
php: Ability to read arbitrary files due use of external entities while parsing SOAP WSDL files
vendor_redhat·2013-02-20·CVSS 5.0
CVE-2013-1643 [MEDIUM] php: Ability to read arbitrary files due use of external entities while parsing SOAP WSDL files
php: Ability to read arbitrary files due use of external entities while parsing SOAP WSDL files
The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-1824.
No detection rules found.
No public exploits indexed.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702221http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=8e76d0404b7f664ee6719fd98f0483f0ac4669d6http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-07/msg00034.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1307.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1615.htmlhttp://secunia.com/advisories/55078http://support.apple.com/kb/HT5880http://www.debian.org/security/2013/dsa-2639http://www.mandriva.com/security/advisories?name=MDVSA-2013:114http://www.php.net/ChangeLog-5.phphttp://www.ubuntu.com/usn/USN-1761-1https://bugs.gentoo.org/show_bug.cgi?id=459904https://bugzilla.redhat.com/show_bug.cgi?id=918187https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0101http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702221http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=8e76d0404b7f664ee6719fd98f0483f0ac4669d6http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-07/msg00034.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1307.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1615.htmlhttp://secunia.com/advisories/55078http://support.apple.com/kb/HT5880http://www.debian.org/security/2013/dsa-2639http://www.mandriva.com/security/advisories?name=MDVSA-2013:114http://www.php.net/ChangeLog-5.phphttp://www.ubuntu.com/usn/USN-1761-1https://bugs.gentoo.org/show_bug.cgi?id=459904https://bugzilla.redhat.com/show_bug.cgi?id=918187https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0101
2013-03-06
Published