CVE-2012-3363 — Zend Framework XXE Vulnerability

Description

`Zend_XmlRpc` in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle `SimpleXMLElement` classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.

How to fix CVE-2012-3363

To remediate CVE-2012-3363, upgrade the affected package to a fixed version below.

—upgrade to 1.10.6-1squeeze1 or later
—upgrade to 1.11.12 or later

Is CVE-2012-3363 being exploited?

Likely — EPSS is 55.1%, placing CVE-2012-3363 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

from 0, < 1.10.6-1squeeze1
>= 1.0.0, < 1.11.12

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References (16)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-3363
PATCHgithub.com/zendframework/zf1
WEBframework.zend.com/security/advisory/ZF2012-01
WEBgit.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284