CVE-2015-5161
published 2015-08-25CVE-2015-5161: The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in…
PriorityP349medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
9.91%
95.0th percentile
The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.
Affected
137 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| opensuse | leap | — | — |
| opensuse | opensuse | — | — |
| php | php | >= 5.5.0 < 5.5.22 | 5.5.22 |
| php | php | >= 5.6.0 < 5.6.6 | 5.6.6 |
| php | php | >= 7.0.0 < 7.0.27 | 7.0.27 |
| php | php | >= 7.1.0 < 7.1.13 | 7.1.13 |
| php | php | >= 7.2.0 < 7.2.1 | 7.2.1 |
| php5 | php5 | >= 0 < 5.5.9+dfsg-1ubuntu4.16 | 5.5.9+dfsg-1ubuntu4.16 |
| suse | linux_enterprise_module_for_web_scripting | — | — |
| suse | linux_enterprise_software_development_kit | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
| zend | zend_framework | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ZendXml and Zend Framework contain XXE and XEE Vulnerabilities
osv·2022-05-17
CVE-2015-5161 [MEDIUM] ZendXml and Zend Framework contain XXE and XEE Vulnerabilities
ZendXml and Zend Framework contain XXE and XEE Vulnerabilities
The `Zend_Xml_Security::scan` in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.
GHSA
ZendXml and Zend Framework contain XXE and XEE Vulnerabilities
ghsa·2022-05-17
CVE-2015-5161 [MEDIUM] CWE-611 ZendXml and Zend Framework contain XXE and XEE Vulnerabilities
ZendXml and Zend Framework contain XXE and XEE Vulnerabilities
The `Zend_Xml_Security::scan` in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.
GHSA
GHSA-x5qj-644j-7xc7: ext/libxml/libxml
ghsa_unreviewed·2022-05-14·CVSS 6.8
CVE-2015-8866 [MEDIUM] CWE-611 GHSA-x5qj-644j-7xc7: ext/libxml/libxml
ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.
OSV
CVE-2015-8866: ext/libxml/libxml
osv·2016-05-22·CVSS 6.8
CVE-2015-8866 [MEDIUM] CVE-2015-8866: ext/libxml/libxml
ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.
Red Hat
php: libxml_disable_entity_loader setting is shared between threads
vendor_redhat·2016-04-21·CVSS 6.8
CVE-2015-8866 [MEDIUM] php: libxml_disable_entity_loader setting is shared between threads
php: libxml_disable_entity_loader setting is shared between threads
ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.
Package: php (Red Hat Enterprise Linux 5) - Will not fix
Package: php53 (Red Hat Enterprise Linux 5) - Will not fix
Package: php (Red Hat Enterprise Linux 6) - Will not fix
Package: php (Red Hat Enterprise Linux 7) - Will not fix
Package: php54-php (Red Hat Software Collections) - Will not fix
Package: php55-php (Red Hat Software Collections) - Will not fix
No detection rules found.
Exploit-DB
eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection
exploitdb·2015-10-30·CVSS 6.8
CVE-2015-5161 [MEDIUM] eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection
eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection
---
- Release date: 29.10.2015
- Discovered by: Dawid Golunski
- Severity: High/Critical
- eBay Magento ref.: APPSEC-1045
I. VULNERABILITY
eBay Magento CE Sender
Detected use of ENTITY in XML, disabled to prevent XXE/XEE
attacks
Below is a POC exploit that automates the steps necessary to bypass this
protection on Magento served with PHP-FPM, and remotely exploit the XXE issue
in Magento's SOAP API without authentication.
Authentication is not required for the exploitation, as Magento first needs to
load the malicious XML data in order to read credentials within the SOAP
login method. Loading malicious XML may be enough to trigger attacker's payload
within the entities (in case of libxml2 library auto-expanding entities).
Exploit-DB
Zend Framework 2.4.2 - PHP FPM XML eXternal Entity Injection
exploitdb·2015-08-13·CVSS 6.8
CVE-2015-5161 [MEDIUM] Zend Framework 2.4.2 - PHP FPM XML eXternal Entity Injection
Zend Framework 2.4.2 - PHP FPM XML eXternal Entity Injection
---
- Release date: 12.08.2015
- Discovered by: Dawid Golunski
- Severity: High
- CVE-ID: CVE-2015-5161
I. VULNERABILITY
Zend Framework loadXml($xml, LIBXML_NONET);
restore_error_handler();
if (!self::isPhpFpm()) {
libxml_disable_entity_loader($loadEntities);
libxml_use_internal_errors($useInternalXmlErrors);
}
if (!$result) {
return false;
}
// Scan for potential XEE attacks using ENTITY, if not PHP-FPM
if (!self::isPhpFpm()) {
foreach ($dom->childNodes as $child) {
if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
if ($child->entities->length > 0) {
require_once 'Exception.php';
throw new Zend_Xml_Exception(self::ENTITY_DETECT);
}
}
}
}
if (isset($simpleXml)) {
$result = simplexml_import_dom($dom);
if (!$result instan
Bugzilla
CVE-2015-5161 php-ZendFramework: XML external entity injection (XXE) on PHP FPM [epel-7]
bugzilla·2015-08-13·CVSS 6.8
CVE-2015-5161 [MEDIUM] CVE-2015-5161 php-ZendFramework: XML external entity injection (XXE) on PHP FPM [epel-7]
CVE-2015-5161 php-ZendFramework: XML external entity injection (XXE) on PHP FPM [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug for php-ZendFramewor
Bugzilla
CVE-2015-5161 php-ZendFramework2: php-ZendFramework: XML external entity injection (XXE) on PHP FPM [epel-7]
bugzilla·2015-08-13·CVSS 6.8
CVE-2015-5161 [MEDIUM] CVE-2015-5161 php-ZendFramework2: php-ZendFramework: XML external entity injection (XXE) on PHP FPM [epel-7]
CVE-2015-5161 php-ZendFramework2: php-ZendFramework: XML external entity injection (XXE) on PHP FPM [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug
Bugzilla
CVE-2015-5161 php-ZendFramework: XML external entity injection (XXE) on PHP FPM
bugzilla·2015-08-13·CVSS 6.8
CVE-2015-5161 [MEDIUM] CVE-2015-5161 php-ZendFramework: XML external entity injection (XXE) on PHP FPM
CVE-2015-5161 php-ZendFramework: XML external entity injection (XXE) on PHP FPM
XXE vulnerability was found in Zend Framework when using ZendXml on multibyte payloads allowing the attacker to perform the unauthorized access, remote command execution or DoS.
Affected versions are claimed to be <= 1.12.13 and <= 2.4.2.
External reference:
http://seclists.org/fulldisclosure/2015/Aug/46
Discussion:
Created php-ZendFramework2 tracking bugs for this issue:
Affects: fedora-all [bug 1253252]
---
Created php-ZendFramework tracking bugs for this issue:
Affects: fedora-all [bug 1253251]
---
Created php-ZendFramework2 tracking bugs for this issue:
Affects: epel-6 [bug 1253254]
---
Created php-ZendFramework tracking bugs for this issue:
Affects: epel-6 [bug 1253253]
---
Created php-Zen
Bugzilla
CVE-2015-5161 php-ZendFramework: XML external entity injection (XXE) on PHP FPM [fedora-all]
bugzilla·2015-08-13·CVSS 6.8
CVE-2015-5161 [MEDIUM] CVE-2015-5161 php-ZendFramework: XML external entity injection (XXE) on PHP FPM [fedora-all]
CVE-2015-5161 php-ZendFramework: XML external entity injection (XXE) on PHP FPM [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple support
Bugzilla
CVE-2015-5161 php-ZendFramework2: php-ZendFramework: XML external entity injection (XXE) on PHP FPM [fedora-all]
bugzilla·2015-08-13·CVSS 6.8
CVE-2015-5161 [MEDIUM] CVE-2015-5161 php-ZendFramework2: php-ZendFramework: XML external entity injection (XXE) on PHP FPM [fedora-all]
CVE-2015-5161 php-ZendFramework2: php-ZendFramework: XML external entity injection (XXE) on PHP FPM [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affe
Bugzilla
CVE-2015-5161 php-ZendFramework: XML external entity injection (XXE) on PHP FPM [epel-6]
bugzilla·2015-08-13·CVSS 6.8
CVE-2015-5161 [MEDIUM] CVE-2015-5161 php-ZendFramework: XML external entity injection (XXE) on PHP FPM [epel-6]
CVE-2015-5161 php-ZendFramework: XML external entity injection (XXE) on PHP FPM [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug for php-ZendFramewor
Bugzilla
CVE-2015-5161 php-ZendFramework2: php-ZendFramework: XML external entity injection (XXE) on PHP FPM [epel-6]
bugzilla·2015-08-13·CVSS 6.8
CVE-2015-5161 [MEDIUM] CVE-2015-5161 php-ZendFramework2: php-ZendFramework: XML external entity injection (XXE) on PHP FPM [epel-6]
CVE-2015-5161 php-ZendFramework2: php-ZendFramework: XML external entity injection (XXE) on PHP FPM [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug
http://framework.zend.com/security/advisory/ZF2015-06http://legalhackers.com/advisories/zend-framework-XXE-vuln.txthttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.htmlhttp://packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Aug/46http://www.debian.org/security/2015/dsa-3340http://www.securityfocus.com/bid/76177https://www.exploit-db.com/exploits/37765/http://framework.zend.com/security/advisory/ZF2015-06http://legalhackers.com/advisories/zend-framework-XXE-vuln.txthttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.htmlhttp://packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Aug/46http://www.debian.org/security/2015/dsa-3340http://www.securityfocus.com/bid/76177https://www.exploit-db.com/exploits/37765/
2015-08-25
Published