Miggo Logo
Miggo Vulnerability Database
GHSA-qg7m-mwxm-j3h7

GHSA-qg7m-mwxm-j3h7: Zend-developer-tools information disclosure vulnerability

5.3

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-qg7m-mwxm-j3h7
EPSS Score
-
CWE
CWE-200
Published
6/7/2024
Updated
6/7/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
zendframework/zend-developer-toolscomposer>= 1.2.2, < 1.2.31.2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper processing of toolbar configuration entries. The key change in the patch replaces 'break' with 'continue' in the loop that processes toolbar entries. The original 'break' statement caused the loop to exit after handling the first disabled entry, potentially leaving other default-enabled entries unprocessed and enabled. This matches the described vulnerability where default-enabled entries couldn't be properly disabled. The test case added in OptionsTest.php explicitly verifies this behavior, confirming the function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** z*n**r*m*work/z*n*-**v*lop*r-tools provi**s * w**-**s** tool**r *or introsp**tin* *n *ppli**tion. W**n up**tin* t** p**k*** to support P*P *.*, * ***n** w*s m*** t**t *oul* pot*nti*lly pr*v*nt tool**r *ntri*s t**t *r* *n**l** *y ****ult *

Reasoning

T** vuln*r**ility st*ms *rom improp*r pro**ssin* o* tool**r *on*i*ur*tion *ntri*s. T** k*y ***n** in t** p*t** r*pl***s '*r**k' wit* '*ontinu*' in t** loop t**t pro**ss*s tool**r *ntri*s. T** ori*in*l '*r**k' st*t*m*nt **us** t** loop to *xit **t*r *