CVE-2014-2682
medium
CVSS v3
—
CVSS v2
6.8
VIR risk
6.8
Description
Several Zend Products Vulnerable to XXE and XEE attacks
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — http://framework.zend.com/security/advisory/ZF2014-01
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | zendframework/zendframework1 | <1.12.4 | 1.12.4 |
| Packagist | zendframework/zendopenid | <2.0.2 | 2.0.2 |
| Packagist | zendframework/zendrest | <2.0.2 | 2.0.2 |
| Packagist | zendframework/zendservice-audioscrobbler | <2.0.2 | 2.0.2 |
| Packagist | zendframework/zendservice-nirvanix | <2.0.2 | 2.0.2 |
| Packagist | zendframework/zendservice-slideshare | <2.0.2 | 2.0.2 |
| Packagist | zendframework/zendservice-technorati | <2.0.2 | 2.0.2 |
| Packagist | zendframework/zendservice-windowsazure | <2.0.2 | 2.0.2 |
| Packagist | zendframework/zendservice-amazon | <2.0.3 | 2.0.3 |
| Packagist | zendframework/zendservice-api | <1.0.0 | 1.0.0 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| zend | zendrest | {"endIncluding":"2.0.1"} | |
| zend | zend_framework | {"endExcluding":"1.12.4"} | 1.12.4 |
| zend | zendservice_slideshare | {"endIncluding":"2.0.1"} | |
| zend | zendservice_api | {"endIncluding":"1.0.0"} | |
| zend | zendservice_audioscrobbler | {"endIncluding":"2.0.1"} | |
| zend | zendservice_amazon | {"endIncluding":"2.0.2"} | |
| zend | zendservice_technorati | {"endIncluding":"2.0.1"} | |
| zend | zendservice_windowsazure | {"endIncluding":"2.0.1"} | |
| zend | zendopenid | {"endIncluding":"2.0.1"} | |
| zend | zendservice_nirvanix | {"endIncluding":"2.0.1"} | |
References
- http://advisories.mageia.org/MGASA-2014-0151.html
- http://framework.zend.com/security/advisory/ZF2014-01
- http://seclists.org/oss-sec/2014/q2/0
- http://www.debian.org/security/2015/dsa-3265
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:072
- http://www.securityfocus.com/bid/66358
- https://nvd.nist.gov/vuln/detail/CVE-2014-2682
- https://web.archive.org/web/20140419041226/http://www.securityfocus.com/bid/66358
- https://web.archive.org/web/20150523055201/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:072/?name=MDVSA-2014:072
CWEs
CWE-19
Verify integrity in audit chain (admin only). AS-IS.