CVE-2012-3363

Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.

CVSS v3.0 9.1 CRITICAL
CVSS v2.0 6.4 MEDIUM

9.1^/10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

6.4^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:N

Exploitability : 10.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://framework.zend.com/security/advisory/ZF2012-01	Vendor Advisory
http://framework.zend.com/security/advisory/ZF2012-01	Vendor Advisory
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284	Patch
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284	Patch
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html	Mailing List
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html	Mailing List
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html	Mailing List
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html	Mailing List
http://openwall.com/lists/oss-security/2013/03/25/2	Mailing List
http://openwall.com/lists/oss-security/2013/03/25/2	Mailing List
http://www.debian.org/security/2012/dsa-2505	Mailing List
http://www.debian.org/security/2012/dsa-2505	Mailing List
http://www.openwall.com/lists/oss-security/2012/06/26/2	Mailing List
http://www.openwall.com/lists/oss-security/2012/06/26/2	Mailing List
http://www.openwall.com/lists/oss-security/2012/06/26/4	Mailing List
http://www.openwall.com/lists/oss-security/2012/06/26/4	Mailing List
http://www.openwall.com/lists/oss-security/2012/06/27/2	Mailing List
http://www.openwall.com/lists/oss-security/2012/06/27/2	Mailing List
http://www.securitytracker.com/id?1027208	Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1027208	Broken Link Third Party Advisory VDB Entry
https://moodle.org/mod/forum/discuss.php?d=225345	Third Party Advisory
https://moodle.org/mod/forum/discuss.php?d=225345	Third Party Advisory
https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt	Broken Link
https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt	Broken Link

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zend:zend_framework:1.12.0:rc3::::::
	cpe:2.3:a:zend:zend_framework:1.12.0:rc1::::::
	cpe:2.3:a:zend:zend_framework:1.12.0:rc4::::::
	cpe:2.3:a:zend:zend_framework:1.12.0:rc2::::::
	cpe:2.3:a:zend:zend_framework::::::::

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:17:::::::*
	cpe:2.3:o:fedoraproject:fedora:18:::::::*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*

History

16 Jan 2025, 21:15

Type	Values Removed	Values Added
References	~~(MISC) https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt - Broken Link~~	() https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt - Broken Link
References	~~(CONFIRM) http://framework.zend.com/security/advisory/ZF2012-01 - Vendor Advisory~~	() http://framework.zend.com/security/advisory/ZF2012-01 - Vendor Advisory
References	~~(FEDORA) http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html - Mailing List~~	() http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html - Mailing List
References	~~(FEDORA) http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html - Mailing List~~	() http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html - Mailing List
References	~~(MLIST) http://www.openwall.com/lists/oss-security/2012/06/27/2 - Mailing List~~	() http://www.openwall.com/lists/oss-security/2012/06/27/2 - Mailing List
References	~~(DEBIAN) http://www.debian.org/security/2012/dsa-2505 - Mailing List~~	() http://www.debian.org/security/2012/dsa-2505 - Mailing List
References	~~(MLIST) http://www.openwall.com/lists/oss-security/2012/06/26/4 - Mailing List~~	() http://www.openwall.com/lists/oss-security/2012/06/26/4 - Mailing List
References	~~(MLIST) http://openwall.com/lists/oss-security/2013/03/25/2 - Mailing List~~	() http://openwall.com/lists/oss-security/2013/03/25/2 - Mailing List
References	~~(SECTRACK) http://www.securitytracker.com/id?1027208 - Broken Link, Third Party Advisory, VDB Entry~~	() http://www.securitytracker.com/id?1027208 - Broken Link, Third Party Advisory, VDB Entry
References	~~(MLIST) http://www.openwall.com/lists/oss-security/2012/06/26/2 - Mailing List~~	() http://www.openwall.com/lists/oss-security/2012/06/26/2 - Mailing List
References	~~(CONFIRM) https://moodle.org/mod/forum/discuss.php?d=225345 - Third Party Advisory~~	() https://moodle.org/mod/forum/discuss.php?d=225345 - Third Party Advisory
References	~~(CONFIRM) http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284 - Patch~~	() http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284 - Patch

15 Feb 2024, 03:20

Information

Published : 2013-02-13 17:55

Updated : 2025-01-16 21:15

NVD link : CVE-2012-3363

Mitre link : CVE-2012-3363

JSON object : View

Products Affected

debian

debian_linux

zend

zend_framework

fedoraproject

fedora

CWE

CWE-611

Improper Restriction of XML External Entity Reference

Type	Values Removed	Values Added
References	~~(MLIST) http://www.openwall.com/lists/oss-security/2012/06/27/2 -~~	(MLIST) http://www.openwall.com/lists/oss-security/2012/06/27/2 - Mailing List
References	~~(DEBIAN) http://www.debian.org/security/2012/dsa-2505 -~~	(DEBIAN) http://www.debian.org/security/2012/dsa-2505 - Mailing List
References	~~(CONFIRM) http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284 -~~	(CONFIRM) http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284 - Patch
References	~~(MLIST) http://www.openwall.com/lists/oss-security/2012/06/26/2 -~~	(MLIST) http://www.openwall.com/lists/oss-security/2012/06/26/2 - Mailing List
References	~~(FEDORA) http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html -~~	(FEDORA) http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html - Mailing List
References	~~(CONFIRM) https://moodle.org/mod/forum/discuss.php?d=225345 -~~	(CONFIRM) https://moodle.org/mod/forum/discuss.php?d=225345 - Third Party Advisory
References	~~(FEDORA) http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html -~~	(FEDORA) http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html - Mailing List
References	~~(SECTRACK) http://www.securitytracker.com/id?1027208 -~~	(SECTRACK) http://www.securitytracker.com/id?1027208 - Broken Link, Third Party Advisory, VDB Entry
References	~~(MLIST) http://openwall.com/lists/oss-security/2013/03/25/2 -~~	(MLIST) http://openwall.com/lists/oss-security/2013/03/25/2 - Mailing List
References	~~(CONFIRM) http://framework.zend.com/security/advisory/ZF2012-01 -~~	(CONFIRM) http://framework.zend.com/security/advisory/ZF2012-01 - Vendor Advisory
References	~~(MISC) https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt -~~	(MISC) https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt - Broken Link
References	~~(MLIST) http://www.openwall.com/lists/oss-security/2012/06/26/4 -~~	(MLIST) http://www.openwall.com/lists/oss-security/2012/06/26/4 - Mailing List
CPE	cpe:2.3:a:zend:zend_framework:1.11.5:::::::* cpe:2.3:a:zend:zend_framework:1.9.2:::::::* cpe:2.3:a:zend:zend_framework:1.10.5:::::::* cpe:2.3:a:zend:zend_framework:1.7.3:::::::* cpe:2.3:a:zend:zend_framework:1.6.0:rc3:::::: cpe:2.3:a:zend:zend_framework:1.10.8:::::::* cpe:2.3:a:zend:zend_framework:1.6.0:rc1:::::: cpe:2.3:a:zend:zend_framework:1.7.0:pr:::::: cpe:2.3:a:zend:zend_framework:1.11.10:::::::* cpe:2.3:a:zend:zend_framework:1.9.8:::::::* cpe:2.3:a:zend:zend_framework:1.8.4:pl1:::::: cpe:2.3:a:zend:zend_framework:1.8.3:::::::* cpe:2.3:a:zend:zend_framework:1.5.1:::::::* cpe:2.3:a:zend:zend_framework:1.10.9:::::::* cpe:2.3:a:zend:zend_framework:1.10.0:alpha1:::::: cpe:2.3:a:zend:zend_framework:1.0.0:::::::* cpe:2.3:a:zend:zend_framework:1.0.0:rc2:::::: cpe:2.3:a:zend:zend_framework:1.9.1:::::::* cpe:2.3:a:zend:zend_framework:1.9.0:a1:::::: cpe:2.3:a:zend:zend_framework:1.6.2:::::::* cpe:2.3:a:zend:zend_framework:1.0.4:::::::* cpe:2.3:a:zend:zend_framework:1.7.4:::::::* cpe:2.3:a:zend:zend_framework:1.10.0:rc1:::::: cpe:2.3:a:zend:zend_framework:1.8.0:a1:::::: cpe:2.3:a:zend:zend_framework:1.11.3:::::::* cpe:2.3:a:zend:zend_framework:1.7.8:::::::* cpe:2.3:a:zend:zend_framework:1.7.6:::::::* cpe:2.3:a:zend:zend_framework:1.8.0:::::::* cpe:2.3:a:zend:zend_framework:1.8.1:::::::* cpe:2.3:a:zend:zend_framework:1.5.3:::::::* cpe:2.3:a:zend:zend_framework:1.11.9:::::::* cpe:2.3:a:zend:zend_framework:1.10.2:::::::* cpe:2.3:a:zend:zend_framework:1.0.1:::::::* cpe:2.3:a:zend:zend_framework:1.11.0:b1:::::: cpe:2.3:a:zend:zend_framework:1.9.6:::::::* cpe:2.3:a:zend:zend_framework:1.9.0:rc1:::::: cpe:2.3:a:zend:zend_framework:1.11.11:::::::* cpe:2.3:a:zend:zend_framework:1.5.0:pl:::::: cpe:2.3:a:zend:zend_framework:1.5.2:::::::* cpe:2.3:a:zend:zend_framework:1.11.4:::::::* cpe:2.3:a:zend:zend_framework:1.7.3:pl1:::::: cpe:2.3:a:zend:zend_framework:1.9.3:::::::* cpe:2.3:a:zend:zend_framework:1.6.0:rc2:::::: cpe:2.3:a:zend:zend_framework:1.9.7:::::::* cpe:2.3:a:zend:zend_framework:1.10.4:::::::* cpe:2.3:a:zend:zend_framework:1.5.0:rc1:::::: cpe:2.3:a:zend:zend_framework:1.9.3:pl1:::::: cpe:2.3:a:zend:zend_framework:1.9.0:b1:::::: cpe:2.3:a:zend:zend_framework:1.10.6:::::::* cpe:2.3:a:zend:zend_framework:1.8.4:::::::* cpe:2.3:a:zend:zend_framework:1.7.0:::::::* cpe:2.3:a:zend:zend_framework:1.7.2:::::::* cpe:2.3:a:zend:zend_framework:1.10.7:::::::* cpe:2.3:a:zend:zend_framework:1.5.0:::::::* cpe:2.3:a:zend:zend_framework:1.0.0:rc3:::::: cpe:2.3:a:zend:zend_framework:1.11.7:::::::* cpe:2.3:a:zend:zend_framework:1.7.9:::::::* cpe:2.3:a:zend:zend_framework:1.7.0:pl1:::::: cpe:2.3:a:zend:zend_framework:1.11.1:::::::* cpe:2.3:a:zend:zend_framework:1.0.2:::::::* cpe:2.3:a:zend:zend_framework:1.9.4:::::::* cpe:2.3:a:zend:zend_framework:1.11.6:::::::* cpe:2.3:a:zend:zend_framework:1.6.0:::::::* cpe:2.3:a:zend:zend_framework:1.7.1:::::::* cpe:2.3:a:zend:zend_framework:1.11.0:rc1:::::: cpe:2.3:a:zend:zend_framework:1.5.0:rc2:::::: cpe:2.3:a:zend:zend_framework:1.5.0:pr:::::: cpe:2.3:a:zend:zend_framework:1.11.0:::::::* cpe:2.3:a:zend:zend_framework:1.9.5:::::::* cpe:2.3:a:zend:zend_framework:1.8.5:::::::* cpe:2.3:a:zend:zend_framework:1.10.1:::::::* cpe:2.3:a:zend:zend_framework:1.9.0:::::::* cpe:2.3:a:zend:zend_framework:1.10.3:::::::* cpe:2.3:a:zend:zend_framework:1.0.0:rc2a:::::: cpe:2.3:a:zend:zend_framework:1.6.1:::::::* cpe:2.3:a:zend:zend_framework:1.0.3:::::::* cpe:2.3:a:zend:zend_framework:1.10.0:::::::* cpe:2.3:a:zend:zend_framework:1.7.7:::::::* cpe:2.3:a:zend:zend_framework:1.7.5:::::::* cpe:2.3:a:zend:zend_framework:1.8.0:b1:::::: cpe:2.3:a:zend:zend_framework:1.10.0:beta1:::::: cpe:2.3:a:zend:zend_framework:1.11.8:::::::* cpe:2.3:a:zend:zend_framework:1.0.0:rc1:::::: cpe:2.3:a:zend:zend_framework:1.5.0:rc3:::::: cpe:2.3:a:zend:zend_framework:1.11.2:::::::* cpe:2.3:a:zend:zend_framework:1.8.2:::::::*	cpe:2.3:o:debian:debian_linux:6.0:::::::* cpe:2.3:a:zend:zend_framework:::::::: cpe:2.3:o:fedoraproject:fedora:17:::::::* cpe:2.3:o:fedoraproject:fedora:18:::::::*
CWE	~~NVD-CWE-noinfo~~	CWE-611
CVSS	v2 : ~~6.4~~ v3 : ~~unknown~~	v2 : 6.4 v3 : 9.1
First Time		Fedoraproject fedora Fedoraproject Debian Debian debian Linux

9.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

6.4 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2012-3363

9.1^/10

6.4^/10

Attach tags to `CVE-2012-3363`