N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2014-2683

CVE-2014-2683: Several Zend Products Vulnerable to XXE and XEE attacks

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2014-2683

CVE-2014-2683:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
zendframework/zendframework1	composer	< 1.12.4	1.12.4
zendframework/zendopenid	composer	< 2.0.2	2.0.2
zendframework/zendrest	composer	< 2.0.2	2.0.2
zendframework/zendservice-audioscrobbler	composer	< 2.0.2	2.0.2
zendframework/zendservice-nirvanix	composer	< 2.0.2	2.0.2
zendframework/zendservice-slideshare	composer	< 2.0.2	2.0.2
zendframework/zendservice-technorati	composer	< 2.0.2	2.0.2
zendframework/zendservice-windowsazure	composer	< 2.0.2	2.0.2
zendframework/zendservice-amazon	composer	< 2.0.3	2.0.3
zendframework/zendservice-api	composer	< 1.0.0	1.0.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure XML processing using PHP's DOMDocument/simplexml_load_*/xml_parse functions without proper entity restrictions. The security advisory ZF2014-01 explicitly states these functions were patched across multiple components by introducing Zend_Xml_Security scanning. Vulnerable functions would be those XML processing entry points in affected components before they implemented the security scanning. High confidence comes from: 1) Explicit component listings in CVE description 2) Advisory's focus on XML processing functions 3) Known vulnerable patterns in Zend Framework's historical XML handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2014-2683: Several Zend Products Vulnerable to XXE and XEE attacks

CVE-2014-2683:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

N/A

N/A

CVE-2014-2683: Several Zend Products Vulnerable to XXE and XEE attacks

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI