GHSA-229x-22xc-2f2w: Zendframework Local file disclosure via XXE injection in Zend_XmlRpc

June 7, 2024

Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection attacks. The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.

References

github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2012-01.yaml
github.com/advisories/GHSA-229x-22xc-2f2w
github.com/zendframework/zf1
web.archive.org/web/20210620092354/https://framework.zend.com/security/advisory/ZF2012-01

Code Behaviors & Features

Detect and mitigate GHSA-229x-22xc-2f2w with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →