cbcvebase.
CVE-2014-2683
published 2014-11-16

CVE-2014-2683: Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler…

PriorityP423medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
2.37%
81.7th percentile
Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532.

Affected

22 ranges
VendorProductVersion rangeFixed in
zendzend_framework< 1.12.41.12.4
zendzend_framework>= 2.1.0 < 2.1.62.1.6
zendzend_framework>= 2.2.0 < 2.2.62.2.6
zendzendopenid<= 2.0.1
zendzendrest<= 2.0.1
zendzendservice_amazon<= 2.0.2
zendzendservice_api<= 1.0.0
zendzendservice_audioscrobbler<= 2.0.1
zendzendservice_nirvanix<= 2.0.1
zendzendservice_slideshare<= 2.0.1
zendzendservice_technorati<= 2.0.1
zendzendservice_windowsazure<= 2.0.1
zendframeworkzendframework1>= 0 < 1.12.41.12.4
zendframeworkzendopenid>= 0 < 2.0.22.0.2
zendframeworkzendrest>= 0 < 2.0.22.0.2
zendframeworkzendservice-amazon>= 0 < 2.0.32.0.3
zendframeworkzendservice-api>= 0 < 1.0.01.0.0
zendframeworkzendservice-audioscrobbler>= 0 < 2.0.22.0.2
zendframeworkzendservice-nirvanix>= 0 < 2.0.22.0.2
zendframeworkzendservice-slideshare>= 0 < 2.0.22.0.2
zendframeworkzendservice-technorati>= 0 < 2.0.22.0.2
zendframeworkzendservice-windowsazure>= 0 < 2.0.22.0.2

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
ghsa5.0MEDIUM
osv5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.