GHSA-2jx7-xg83-j2m7

Опубликовано: 07 июн. 2024

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

Zendframework Denial of Service vector via XEE injection

Zend_Dom, Zend_Feed, Zend_Soap, and Zend_XmlRpc are vulnerable to XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.

Ссылки

https://framework.zend.com/security/advisory/ZF2012-02
https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2012-02.yaml

Пакеты

Наименование

zendframework/zendframework1

composer

Затронутые версииВерсия исправления

>= 1.0.0, < 1.11.13

1.11.13

7.5 High

CVSS3

Дефекты

CWE-776

7.5 High

CVSS3

Дефекты

CWE-776