Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2014-2681

Public on 2014-07-23
Modified on 2014-09-19
Description

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.

Severity
Medium
See what this means
CVSS v3 Base Score
6.4
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 php-ZendFramework 2014-07-23 13:39 ALAS-2014-377

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv2 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P
NVD CVSSv2 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P