CVE-2012-3363 — CRITICAL (9.1)

Q: How severe is CVE-2012-3363?

CVE-2012-3363 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2012-3363?

Check the references section above for vendor advisories and patch information. Affected products include: Zend Zend Framework, Fedoraproject Fedora, Debian Debian Linux.

Vulnerability Description

Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Zend	Zend Framework	>= 1.0.0, < 1.11.12
Fedoraproject	Fedora	17
Debian	Debian Linux	6.0

Related Weaknesses (CWE)

CWE-611

References

http://framework.zend.com/security/advisory/ZF2012-01Vendor Advisory
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284Patch
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.htmlMailing List
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.htmlMailing List
http://openwall.com/lists/oss-security/2013/03/25/2Mailing List
http://www.debian.org/security/2012/dsa-2505Mailing List
http://www.openwall.com/lists/oss-security/2012/06/26/2Mailing List
http://www.openwall.com/lists/oss-security/2012/06/26/4Mailing List
http://www.openwall.com/lists/oss-security/2012/06/27/2Mailing List
http://www.securitytracker.com/id?1027208Broken LinkThird Party AdvisoryVDB Entry
https://moodle.org/mod/forum/discuss.php?d=225345Third Party Advisory
https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txtBroken Link
http://framework.zend.com/security/advisory/ZF2012-01Vendor Advisory
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284Patch
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.htmlMailing List

FAQ

What is CVE-2012-3363?

CVE-2012-3363 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connect...

How severe is CVE-2012-3363?

CVE-2012-3363 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2012-3363?

Check the references section above for vendor advisories and patch information. Affected products include: Zend Zend Framework, Fedoraproject Fedora, Debian Debian Linux.