cbcvebase.
CVE-2014-2682
published 2014-11-16

CVE-2014-2682: Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler…

PriorityP433medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
2.16%
80.0th percentile
Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.

Affected

22 ranges
VendorProductVersion rangeFixed in
zendzend_framework< 1.12.41.12.4
zendzend_framework>= 2.1.0 < 2.1.62.1.6
zendzend_framework>= 2.2.0 < 2.2.62.2.6
zendzendopenid<= 2.0.1
zendzendrest<= 2.0.1
zendzendservice_amazon<= 2.0.2
zendzendservice_api<= 1.0.0
zendzendservice_audioscrobbler<= 2.0.1
zendzendservice_nirvanix<= 2.0.1
zendzendservice_slideshare<= 2.0.1
zendzendservice_technorati<= 2.0.1
zendzendservice_windowsazure<= 2.0.1
zendframeworkzendframework1>= 0 < 1.12.41.12.4
zendframeworkzendopenid>= 0 < 2.0.22.0.2
zendframeworkzendrest>= 0 < 2.0.22.0.2
zendframeworkzendservice-amazon>= 0 < 2.0.32.0.3
zendframeworkzendservice-api>= 0 < 1.0.01.0.0
zendframeworkzendservice-audioscrobbler>= 0 < 2.0.22.0.2
zendframeworkzendservice-nirvanix>= 0 < 2.0.22.0.2
zendframeworkzendservice-slideshare>= 0 < 2.0.22.0.2
zendframeworkzendservice-technorati>= 0 < 2.0.22.0.2
zendframeworkzendservice-windowsazure>= 0 < 2.0.22.0.2

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa5.0MEDIUM
osv5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.