CVE-2015-3154
published 2020-01-27CVE-2015-3154: CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to…
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.01%
58.7th percentile
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zend | zend_framework | < 1.12.12 | 1.12.12 |
| zend | zend_framework | >= 2.3.0 < 2.3.8 | 2.3.8 |
| zend | zend_framework | >= 2.4.0 < 2.4.1 | 2.4.1 |
| zend_technologies | zend_framework | — | — |
| zend_technologies | zend_framework | — | — |
| zend_technologies | zend_framework | — | — |
| zendframework | zend-http | >= 0 < 1.12.12 | 1.12.12 |
| zendframework | zend-http | >= 2.0.0beta4 < 2.3.8 | 2.3.8 |
| zendframework | zend-http | >= 2.4.0rc1 < 2.4.1 | 2.4.1 |
| zendframework | zendframework | >= 2.0.0beta4 < 2.3.8 | 2.3.8 |
| zendframework | zendframework | >= 2.4.0rc1 < 2.4.1 | 2.4.1 |
| zendframework | zendframework1 | >= 0 < 1.12.12 | 1.12.12 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Zenario CMS vulnerable to CRLF injection
osv·2022-05-24
CVE-2015-3154 [MEDIUM] Zenario CMS vulnerable to CRLF injection
Zenario CMS vulnerable to CRLF injection
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
GHSA
Zenario CMS vulnerable to CRLF injection
ghsa·2022-05-24
CVE-2015-3154 [MEDIUM] CWE-74 Zenario CMS vulnerable to CRLF injection
Zenario CMS vulnerable to CRLF injection
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
OSV
CVE-2015-3154: CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1
osv·2020-01-27·CVSS 6.1
CVE-2015-3154 [MEDIUM] CVE-2015-3154: CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-3154 php-ZendFramework: php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability [epel-all]
bugzilla·2015-05-21·CVSS 6.1
CVE-2015-3154 [MEDIUM] CVE-2015-3154 php-ZendFramework: php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability [epel-all]
CVE-2015-3154 php-ZendFramework: php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE
Bugzilla
CVE-2015-3154 php-ZendFramework: php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability [fedora-all]
bugzilla·2015-05-21·CVSS 6.1
CVE-2015-3154 [MEDIUM] CVE-2015-3154 php-ZendFramework: php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability [fedora-all]
CVE-2015-3154 php-ZendFramework: php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: t
Bugzilla
CVE-2015-3154 php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability [fedora-all]
bugzilla·2015-05-21·CVSS 6.1
CVE-2015-3154 [MEDIUM] CVE-2015-3154 php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability [fedora-all]
CVE-2015-3154 php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects m
Bugzilla
CVE-2015-3154 php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability [epel-all]
bugzilla·2015-05-21·CVSS 6.1
CVE-2015-3154 [MEDIUM] CVE-2015-3154 php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability [epel-all]
CVE-2015-3154 php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affect
Bugzilla
CVE-2015-3154 php-ZendFramework: php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability [fedora-all]
bugzilla·2015-05-21·CVSS 6.1
CVE-2015-3154 [MEDIUM] CVE-2015-3154 php-ZendFramework: php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability [fedora-all]
CVE-2015-3154 php-ZendFramework: php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: t
Bugzilla
CVE-2015-3154 php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability
bugzilla·2015-04-27·CVSS 6.1
CVE-2015-3154 [MEDIUM] CVE-2015-3154 php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability
CVE-2015-3154 php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability
Zend Framework upstream reported the below issue:
"""
Title: ZF2015-04: Potential header and mail injection vulnerability
Type: Bypass
We have confirmed a vulnerability reported against the Zend\Mail component in
Zend Framework 2, specifically in how it handles headers. Headers are not
correctly filtered for newlines, allowing the ability to:
- send additional, unrelated headers
- bypass additional headers by emitting the header/body separator sequence
We are in the process of reviewing a patch, and plan to release the following
new ZF2 versions with the patch in the next 1-2 weeks:
- Zend Framework 2.3.8
- Zend Framework 2.4.1
"""
Discussion:
This is now public:
http://framework.zend.com
2020-01-27
Published