Описание
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized
Ссылки
- ExploitThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- Third Party Advisory
- ExploitThird Party Advisory
- ExploitThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- Third Party Advisory
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.14.2 (исключая)
Одно из
cpe:2.3:a:getlaminas:laminas-http:*:*:*:*:*:*:*:*
cpe:2.3:a:zend:zend_framework:3.0.0:*:*:*:*:*:*:*
EPSS
Процентиль: 99%
0.79527
Высокий
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-502
Связанные уязвимости
CVSS3: 9.8
github
около 4 лет назад
Remote code execution in zendframework and laminas-http
EPSS
Процентиль: 99%
0.79527
Высокий
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-502