Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.
References
Link | Resource |
---|---|
http://framework.zend.com/security/advisory/ZF2012-01 | Vendor Advisory |
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284 | Patch |
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html | Mailing List |
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html | Mailing List |
http://openwall.com/lists/oss-security/2013/03/25/2 | Mailing List |
http://www.debian.org/security/2012/dsa-2505 | Mailing List |
http://www.openwall.com/lists/oss-security/2012/06/26/2 | Mailing List |
http://www.openwall.com/lists/oss-security/2012/06/26/4 | Mailing List |
http://www.openwall.com/lists/oss-security/2012/06/27/2 | Mailing List |
http://www.securitytracker.com/id?1027208 | Broken Link Third Party Advisory VDB Entry |
https://moodle.org/mod/forum/discuss.php?d=225345 | Third Party Advisory |
https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt | Broken Link |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2013-02-13T17:00:00
Updated: 2013-12-02T13:57:00
Reserved: 2012-06-14T00:00:00
Link: CVE-2012-3363
JSON object: View
NVD Information
Status : Analyzed
Published: 2013-02-13T17:55:01.320
Modified: 2024-02-15T03:20:09.587
Link: CVE-2012-3363
JSON object: View
Redhat Information
No data.
CWE