ZendFramework potential XML eXternal Entity injection vectors · GHSA-mhpx-3rv8-wrjm · GitHub Advisory Database · GitHub

ZendFramework potential XML eXternal Entity injection vectors

Critical severity GitHub Reviewed Published Jun 7, 2024 to the GitHub Advisory Database • Updated Jun 7, 2024

Package

zendframework/zendframework1 (Composer)

Affected versions

>= 1.12.0, < 1.12.4

Patched versions

1.12.4

Description

Numerous components utilizing PHP's DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:

XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.

References

Published to the GitHub Advisory Database Jun 7, 2024

Reviewed Jun 7, 2024

Last updated Jun 7, 2024

Severity

Critical

9.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H