CVE-2014-2683
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
5.0
Description
Several Zend Products Vulnerable to XXE and XEE attacks
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | zendframework/zendframework1 | <1.12.4 | 1.12.4 |
| Packagist | zendframework/zendopenid | <2.0.2 | 2.0.2 |
| Packagist | zendframework/zendrest | <2.0.2 | 2.0.2 |
| Packagist | zendframework/zendservice-audioscrobbler | <2.0.2 | 2.0.2 |
| Packagist | zendframework/zendservice-nirvanix | <2.0.2 | 2.0.2 |
| Packagist | zendframework/zendservice-slideshare | <2.0.2 | 2.0.2 |
| Packagist | zendframework/zendservice-technorati | <2.0.2 | 2.0.2 |
| Packagist | zendframework/zendservice-windowsazure | <2.0.2 | 2.0.2 |
| Packagist | zendframework/zendservice-amazon | <2.0.3 | 2.0.3 |
| Packagist | zendframework/zendservice-api | <1.0.0 | 1.0.0 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| zend | zendrest | {"endIncluding":"2.0.1"} | |
| zend | zend_framework | {"endExcluding":"1.12.4"} | 1.12.4 |
| zend | zendservice_slideshare | {"endIncluding":"2.0.1"} | |
| zend | zendservice_api | {"endIncluding":"1.0.0"} | |
| zend | zendservice_audioscrobbler | {"endIncluding":"2.0.1"} | |
| zend | zendservice_amazon | {"endIncluding":"2.0.2"} | |
| zend | zendservice_technorati | {"endIncluding":"2.0.1"} | |
| zend | zendservice_windowsazure | {"endIncluding":"2.0.1"} | |
| zend | zendopenid | {"endIncluding":"2.0.1"} | |
| zend | zendservice_nirvanix | {"endIncluding":"2.0.1"} | |
References
- http://advisories.mageia.org/MGASA-2014-0151.html
- http://framework.zend.com/security/advisory/ZF2014-01
- http://seclists.org/oss-sec/2014/q2/0
- http://www.debian.org/security/2015/dsa-3265
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:072
- http://www.securityfocus.com/bid/66358
- https://nvd.nist.gov/vuln/detail/CVE-2014-2683
- https://web.archive.org/web/20140419041226/http://www.securityfocus.com/bid/66358
- https://web.archive.org/web/20150523055201/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:072/?name=MDVSA-2014:072
CWEs
CWE-17
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.