CVE-2012-5657 — Zend Framework XXE Vulnerability

Description

The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack.

How to fix CVE-2012-5657

To remediate CVE-2012-5657, upgrade the affected package to a fixed version below.

Debian/zendframework—upgrade to 1.10.6-1squeeze2 or later
Packagist/zendframework/zendframework1—upgrade to 1.11.15 or later

Is CVE-2012-5657 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.10.6-1squeeze2
from 0, < 1.11.15

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-5657
PATCHgithub.com/zendframework/zf1
WEBframework.zend.com/security/advisory/ZF2012-05
WEBopenwall.com/lists/oss-security/2012/12/20/2
WEB