CVE-2014-2682

Published Nov 16, 2014

Last updated 5 years ago

CVSS info 6.8

Overview

Description: Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.
Source: cve@mitre.org
NVD status: Analyzed

Risk scores

CVSS 2.0

Type: Primary
Base score: 6.8
Impact score: 6.4
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-19

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:zend:zendrest:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8355D554-59F8-40DE-BEED-9608E710689F",
            "versionEndIncluding": "2.0.1"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "836B23B2-F868-4068-8CAE-F9E0C9844D35",
            "versionEndExcluding": "1.12.4"
          },
          {
            "criteria": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CADA4077-F8CC-44EB-854A-8397EEF4D99D",
            "versionEndExcluding": "2.1.6",
            "versionStartIncluding": "2.1.0"
          },
          {
            "criteria": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1211BC37-763D-4B18-87D8-6727CC049F81",
            "versionEndExcluding": "2.2.6",
            "versionStartIncluding": "2.2.0"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:zend:zendservice_slideshare:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7EA03FE2-F2AF-4AAC-8699-B83428A177B9",
            "versionEndIncluding": "2.0.1"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:zend:zendservice_api:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C2BF3B28-536C-478F-8837-91AEAF4E182F",
            "versionEndIncluding": "1.0.0"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:zend:zendservice_audioscrobbler:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AE7B01AC-43F4-46C7-ADFD-25EB628A3060",
            "versionEndIncluding": "2.0.1"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:zend:zendservice_amazon:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "48545222-B223-4056-8AE4-0462089A8FDD",
            "versionEndIncluding": "2.0.2"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:zend:zendservice_technorati:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "01842993-10EC-49E4-BDC8-BB2379B0A938",
            "versionEndIncluding": "2.0.1"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:zend:zendservice_windowsazure:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4C20DCB6-DB3C-4D05-A80C-83E6A9E1BFDF",
            "versionEndIncluding": "2.0.1"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:zend:zendopenid:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "255171B6-0A4C-4757-ADDA-28916398499C",
            "versionEndIncluding": "2.0.1"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:zend:zendservice_nirvanix:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AD90BDD0-0155-4D4C-AA05-FF87C6ABC47F",
            "versionEndIncluding": "2.0.1"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 2.0

Weaknesses

Social media

Configurations

References