cbcvebase.
CVE-2014-2681
published 2014-11-16

CVE-2014-2681: Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler…

PriorityP333medium6.4CVSS 2.0
AVNACLAuNCPINAP
EPSS
2.61%
83.5th percentile
Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.

Affected

22 ranges
VendorProductVersion rangeFixed in
zendzend_framework< 1.12.41.12.4
zendzend_framework>= 2.1.0 < 2.1.62.1.6
zendzend_framework>= 2.2.0 < 2.2.62.2.6
zendzendopenid<= 2.0.1
zendzendrest<= 2.0.1
zendzendservice_amazon<= 2.0.2
zendzendservice_api<= 1.0.0
zendzendservice_audioscrobbler<= 2.0.1
zendzendservice_nirvanix<= 2.0.1
zendzendservice_slideshare<= 2.0.1
zendzendservice_technorati<= 2.0.1
zendzendservice_windowsazure<= 2.0.1
zendframeworkzendframework1>= 0 < 1.12.41.12.4
zendframeworkzendopenid>= 0 < 2.0.22.0.2
zendframeworkzendrest>= 0 < 2.0.22.0.2
zendframeworkzendservice-amazon>= 0 < 2.0.32.0.3
zendframeworkzendservice-api>= 0 < 1.0.01.0.0
zendframeworkzendservice-audioscrobbler>= 0 < 2.0.22.0.2
zendframeworkzendservice-nirvanix>= 0 < 2.0.22.0.2
zendframeworkzendservice-slideshare>= 0 < 2.0.22.0.2
zendframeworkzendservice-technorati>= 0 < 2.0.22.0.2
zendframeworkzendservice-windowsazure>= 0 < 2.0.22.0.2

CVSS provenance

nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
ghsa5.0MEDIUM
osv5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.