CVE-2012-3363

Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.

Published: Feb 13, 2013
Updated: May 9, 2024
CVE: CVE-2012-3363
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.1
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v2:

Severity: Medium
Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N

CWEs:

CWE-611

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
zend / zend_framework	1.12.0-rc3	1.12.0-rc3.x
zend / zend_framework	1.12.0-rc1	1.12.0-rc1.x
zend / zend_framework	1.12.0-rc4	1.12.0-rc4.x
zend / zend_framework	1.12.0-rc2	1.12.0-rc2.x
zend / zend_framework	1.0.0	1.11.12
fedoraproject / fedora	17	17.x
fedoraproject / fedora	18	18.x
debian / debian_linux	6.0	6.0.x

http://framework.zend.com/security/advisory/ZF2012-01
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html
http://openwall.com/lists/oss-security/2013/03/25/2
http://www.debian.org/security/2012/dsa-2505
http://www.openwall.com/lists/oss-security/2012/06/26/2
http://www.openwall.com/lists/oss-security/2012/06/26/4
http://www.openwall.com/lists/oss-security/2012/06/27/2
http://www.securitytracker.com/id?1027208
https://moodle.org/mod/forum/discuss.php?d=225345
https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt

Vulnerability Database

289,697

CVE-2012-3363