ID CVE-2012-3363
Summary Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.
References
Vulnerable Configurations
  • cpe:2.3:a:zend:zend_framework:1.12.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.12.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.12.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.12.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.12.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.12.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.12.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.12.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.0.0:rc2a:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.0.0:rc2a:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.0.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.0.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.5.0:pl:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.5.0:pl:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.5.0:pr:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.5.0:pr:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.5.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.5.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.5.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.5.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.5.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.5.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.6.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.6.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.6.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.6.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.6.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.6.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.7.0:pl1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.7.0:pl1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.7.0:pr:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.7.0:pr:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.7.3:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.7.3:pl1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.7.3:pl1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.7.4:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.7.4:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.7.5:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.7.6:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.7.6:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.7.7:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.7.7:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.7.8:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.7.8:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.7.9:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.7.9:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.8.0:a1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.8.0:a1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.8.0:b1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.8.0:b1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.8.4:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.8.4:pl1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.8.4:pl1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.8.5:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.9.0:a1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.9.0:a1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.9.0:b1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.9.0:b1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.9.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.9.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.9.3:pl1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.9.3:pl1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.9.4:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.9.4:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.9.5:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.9.5:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.9.6:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.9.6:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.9.7:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.9.7:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.9.8:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.9.8:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.10.0:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.10.0:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.10.0:alpha1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.10.0:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.10.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.10.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.10.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.10.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.10.1:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.10.1:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.10.2:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.10.3:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.10.3:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.10.4:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.10.4:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.10.5:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.10.5:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.10.6:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.10.6:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.10.7:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.10.7:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.10.8:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.10.8:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.10.9:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.10.9:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.11.0:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.11.0:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.11.0:b1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.11.0:b1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.11.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.11.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.11.1:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.11.2:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.11.2:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.11.3:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.11.3:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.11.4:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.11.4:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.11.5:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.11.5:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.11.6:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.11.6:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.11.7:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.11.7:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.11.8:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.11.8:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.11.9:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.11.9:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.11.10:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.11.10:*:*:*:*:*:*:*
  • cpe:2.3:a:zend:zend_framework:1.11.11:*:*:*:*:*:*:*
    cpe:2.3:a:zend:zend_framework:1.11.11:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:18:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:18:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
CVSS
Base: 6.4 (as of 15-02-2024 - 03:20)
Impact:
Exploitability:
CWE CWE-611
CAPEC
  • XML External Entities Blowup
    This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:N
refmap via4
confirm
debian DSA-2505
fedora
  • FEDORA-2013-4387
  • FEDORA-2013-4404
misc https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt
mlist
  • [oss-security] 20120626 Re: XXE in Zend
  • [oss-security] 20120626 XXE in Zend
  • [oss-security] 20120627 Re: XXE in Zend
  • [oss-security] 20130325 Moodle security notifications public
sectrack 1027208
Last major update 15-02-2024 - 03:20
Published 13-02-2013 - 17:55
Last modified 15-02-2024 - 03:20
Back to Top