CVE-2015-5161

The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.

Published Bysecalert@redhat.com

Published DateAug 25, 2015, 17:59

Affected Versions(5)

zendframework/zendframework(Packagist)

Introduced2.0.0

Fixed2.4.6

LimitN/A

zendframework/zendframework(Packagist)

Introduced2.5.0

Fixed2.5.2

LimitN/A

zendframework/zendframework1(Packagist)

Introduced1.12.0

Fixed1.12.14

LimitN/A

zendframework/zendxml(Packagist)

Introduced1.0.0

Fixed1.0.1

LimitN/A

zendframework/zendframework(Packagist)

Introduced1.12.0

Fixed1.12.14

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
zendframework/zendframework(Packagist)	2.0.0	2.4.6	N/A
zendframework/zendframework(Packagist)	2.5.0	2.5.2	N/A
zendframework/zendframework1(Packagist)	1.12.0	1.12.14	N/A
zendframework/zendxml(Packagist)	1.0.0	1.0.1	N/A
zendframework/zendframework(Packagist)	1.12.0	1.12.14	N/A

Weakness Type (CWE):NVD-CWE-Other

CVSS Metrics

Base Score

6.8

Vector String

AV:N/AC:M/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

Weakness Type (CWE):NVD-CWE-Other

CVSS Metrics

Base Score

6.8

Vector String

AV:N/AC:M/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL