CVE-2014-2683 — XML External Entity (XXE) Injection in Framework

CWE-611 — XML External Entity (XXE) Injection CWE-776 — XML Entity Expansion5 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

2.6%

top 14.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zend Framework Zendframework Zendframework1 Zendframework Zendopenid +17 more

Timeline

PublishedNov 16

Latest updateMay 14

Description

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka a…

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages20 packages

▶Packagistzendframework/zendrest< 2.0.2

▶Packagistzendframework/zendopenid< 2.0.2

▶Packagistzendframework/zendservice-api< 1.0.0

▶Packagistzendframework/zendservice-amazon< 2.0.3

▶Packagistzendframework/zendservice-nirvanix< 2.0.2

🔴Vulnerability Details

GHSA

Several Zend Products Vulnerable to XXE and XEE attacks↗2022-05-14

▶

OSV

Several Zend Products Vulnerable to XXE and XEE attacks↗2022-05-14

▶

CVEList

CVE-2014-2683: Zend Framework 1 (ZF1) before 1↗2014-11-16

▶

💬Community

Bugzilla

CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 php-ZendFramework: XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws fixed in 1.12.4, 2.1.6, and 2.2.6 (ZF2014-01)↗2014-03-27

▶