CVE-2012-3363

Sažetak

Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.

Reference

http://framework.zend.com/security/advisory/ZF2012-01
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html
http://openwall.com/lists/oss-security/2013/03/25/2
http://www.debian.org/security/2012/dsa-2505
http://www.openwall.com/lists/oss-security/2012/06/26/2
http://www.openwall.com/lists/oss-security/2012/06/26/4
http://www.openwall.com/lists/oss-security/2012/06/27/2
http://www.securitytracker.com/id?1027208
https://moodle.org/mod/forum/discuss.php?d=225345
https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt

CVSS

Base:	6.4
Impact:	4.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:N

Zadnje važnije ažuriranje

15-02-2024 - 03:20

Objavljeno

13-02-2013 - 17:55