zendframework/zendframework-dev-develop: 5 vulnerabilities (highest severity is: 9.8) #1
Description
Vulnerable Library - zendframework/zendframework-dev-develop
Zend Framework
Library home page: https://api.github.com/repos/zendframework/zendframework/zipball/6e2111d944eede6b08562cef913c0c7d3d60cf36
Found in HEAD commit: 39dbe5aff08e4f04412a5938451250b3845c4dff
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (zendframework/zendframework-dev-develop version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2021-3007 |  Critical |
9.8 | Proof of concept | 90.3% | zendframework/zendframework-dev-develop | Direct | N/A | ❌ | |
| CVE-2016-10034 | Critical |
9.8 | Not Defined | 82.3% | zendframework/zend-mail-dev-master | Transitive | N/A* | ❌ | |
| CVE-2015-0270 | Critical |
9.8 | Not Defined | 0.3% | zendframework/zendframework-dev-develop | Direct | zendframework/zendframework - 2.3.5,zendframework/zend-db - 2.2.10,zendframework/zendframework - 2.2.10,zendframework/zend-db - 2.3.5 | ❌ | |
| CVE-2014-2052 | Critical |
9.8 | Not Defined | 1.0% | zendframework/zend-xmlrpc-dev-master | Transitive | N/A* | ❌ | |
| CVE-2012-6091 |  High |
7.5 | Not Defined | 1.6% | zendframework/zendframework-dev-develop | Direct | N/A | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-3007
Vulnerable Library - zendframework/zendframework-dev-develop
Zend Framework
Library home page: https://api.github.com/repos/zendframework/zendframework/zipball/6e2111d944eede6b08562cef913c0c7d3d60cf36
Dependency Hierarchy:
- ❌ zendframework/zendframework-dev-develop (Vulnerable Library)
Found in HEAD commit: 39dbe5aff08e4f04412a5938451250b3845c4dff
Found in base branch: main
Vulnerability Details
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized
Publish Date: 2021-01-04
URL: CVE-2021-3007
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 90.3%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2016-10034
Vulnerable Library - zendframework/zend-mail-dev-master
Provides generalized functionality to compose and send both text and MIME-compliant multipart e-mail messages
Library home page: https://api.github.com/repos/zendframework/zend-mail/zipball/0de63dae14eee60ebecf38788ef915e28f1f1da7
Dependency Hierarchy:
- zendframework/zendframework-dev-develop (Root Library)
- ❌ zendframework/zend-mail-dev-master (Vulnerable Library)
Found in HEAD commit: 39dbe5aff08e4f04412a5938451250b3845c4dff
Found in base branch: main
Vulnerability Details
The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted e-mail address.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2016-12-30
URL: CVE-2016-10034
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 82.3%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-r9mw-gwx9-v3h5
Release Date: 2016-12-30
Fix Resolution: zendframework/zend-mail - 2.4.11,zendframework/zend-mail - 2.7.2
CVE-2015-0270
Vulnerable Library - zendframework/zendframework-dev-develop
Zend Framework
Library home page: https://api.github.com/repos/zendframework/zendframework/zipball/6e2111d944eede6b08562cef913c0c7d3d60cf36
Dependency Hierarchy:
- ❌ zendframework/zendframework-dev-develop (Vulnerable Library)
Found in HEAD commit: 39dbe5aff08e4f04412a5938451250b3845c4dff
Found in base branch: main
Vulnerability Details
Zend Framework before 2.2.10 and 2.3.x before 2.3.5 has Potential SQL injection in PostgreSQL Zend\Db adapter.
Publish Date: 2019-10-25
URL: CVE-2015-0270
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-v59p-p692-v382
Release Date: 2019-10-25
Fix Resolution: zendframework/zendframework - 2.3.5,zendframework/zend-db - 2.2.10,zendframework/zendframework - 2.2.10,zendframework/zend-db - 2.3.5
CVE-2014-2052
Vulnerable Library - zendframework/zend-xmlrpc-dev-master
Fully-featured XML-RPC server and client implementations
Library home page: https://api.github.com/repos/zendframework/zend-xmlrpc/zipball/bfd5e938d9aa898b0346ebcd51eedefca31e040c
Dependency Hierarchy:
- zendframework/zendframework-dev-develop (Root Library)
- ❌ zendframework/zend-xmlrpc-dev-master (Vulnerable Library)
Found in HEAD commit: 39dbe5aff08e4f04412a5938451250b3845c4dff
Found in base branch: main
Vulnerability Details
Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
Publish Date: 2020-02-11
URL: CVE-2014-2052
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.0%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2012-6091
Vulnerable Library - zendframework/zendframework-dev-develop
Zend Framework
Library home page: https://api.github.com/repos/zendframework/zendframework/zipball/6e2111d944eede6b08562cef913c0c7d3d60cf36
Dependency Hierarchy:
- ❌ zendframework/zendframework-dev-develop (Vulnerable Library)
Found in HEAD commit: 39dbe5aff08e4f04412a5938451250b3845c4dff
Found in base branch: main
Vulnerability Details
Zend_XmlRpc Class in Magento before 1.7.0.2 contains an information disclosure vulnerability.
Publish Date: 2020-02-13
URL: CVE-2012-6091
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.6%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None