CVE-2012-3363

描述

`Zend_XmlRpc` in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle `SimpleXMLElement` classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.

受影響套件(2)

• Debian/zendframeworkfrom 0, < 1.10.6-1squeeze1
• Packagist/zendframework/zendframework1>= 1.0.0, < 1.11.12

CVSS 分數

參考連結(16)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2012-3363
• PATCHhttps://github.com/zendframework/zf1
• WEBhttp://framework.zend.com/security/advisory/ZF2012-01
• WEBhttp://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284
• WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html
• WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html
• WEBhttp://openwall.com/lists/oss-security/2013/03/25/2
• WEBhttps://github.com/zendframework/zf1/commit/281a3251d71ed40a5289ec4afc355eea8e014dc5
• WEBhttps://moodle.org/mod/forum/discuss.php?d=225345
• WEBhttps://web.archive.org/web/20170223044943/http://www.securitytracker.com/id?1027208
• WEBhttps://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt
• WEBhttp://www.debian.org/security/2012/dsa-2505
• WEBhttp://www.openwall.com/lists/oss-security/2012/06/26/2
• WEBhttp://www.openwall.com/lists/oss-security/2012/06/26/4
• WEBhttp://www.openwall.com/lists/oss-security/2012/06/27/2
• WEBhttp://www.securitytracker.com/id?1027208