Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/zendframework/zendframework@2.4.10

Type composer

Namespace zendframework

Name zendframework

Version 2.4.10

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.5.2

Latest_non_vulnerable_version 2.5.2

Affected_by_vulnerabilities

url VCID-8d1t-m4zy-dkf4

vulnerability_id VCID-8d1t-m4zy-dkf4

summary

Zendframework URL Rewrite vulnerability
zend-diactoros (and, by extension, Expressive), zend-http (and, by extension, Zend Framework MVC projects), and zend-feed (specifically, its PubSubHubbub sub-component) each contain a potential URL rewrite exploit. In each case, marshaling a request URI includes logic that introspects HTTP request headers that are specific to a given server-side URL rewrite mechanism.

When these headers are present on systems not running the specific URL rewriting mechanism, the logic would still trigger, allowing a malicious client or proxy to emulate the headers to request arbitrary content.

references

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2018-01.yaml

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2018-01.yaml

reference_url

https://github.com/zendframework/zendframework

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/zendframework/zendframework

reference_url

https://web.archive.org/web/20210618220447/https://framework.zend.com/security/advisory/ZF2018-01

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20210618220447/https://framework.zend.com/security/advisory/ZF2018-01

reference_url

https://github.com/advisories/GHSA-fh7r-58q4-6387

reference_id

GHSA-fh7r-58q4-6387

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-fh7r-58q4-6387

fixed_packages

url pkg:composer/zendframework/zendframework@2.5.0

purl pkg:composer/zendframework/zendframework@2.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8fwb-56kb-jubf

vulnerability	VCID-njsg-e1w1-9qcy

vulnerability	VCID-vmut-b2y4-rkcp

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework@2.5.0

aliases GHSA-fh7r-58q4-6387

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8d1t-m4zy-dkf4

url VCID-qs6q-pjks-euh4

vulnerability_id VCID-qs6q-pjks-euh4

summary

Remote code execution in zend-mail via Sendmail adapter
A malicious user may be able to inject arbitrary parameters to the system Sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability.

references

reference_url	https://framework.zend.com/security/advisory/ZF2016-04
reference_id
reference_type
scores
url	https://framework.zend.com/security/advisory/ZF2016-04

fixed_packages

url pkg:composer/zendframework/zendframework@2.4.11

purl pkg:composer/zendframework/zendframework@2.4.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8d1t-m4zy-dkf4

vulnerability	VCID-wz4g-j8zt-ruff

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework@2.4.11

url pkg:composer/zendframework/zendframework@2.5.0

purl pkg:composer/zendframework/zendframework@2.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8fwb-56kb-jubf

vulnerability	VCID-njsg-e1w1-9qcy

vulnerability	VCID-vmut-b2y4-rkcp

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework@2.5.0

aliases ZF2016-04

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qs6q-pjks-euh4

url VCID-wz4g-j8zt-ruff

vulnerability_id VCID-wz4g-j8zt-ruff

summary

URL Redirection to Untrusted Site (Open Redirect)
URL Rewrite vulnerability.

references

reference_url	https://framework.zend.com/security/advisory/ZF2018-01
reference_id
reference_type
scores
url	https://framework.zend.com/security/advisory/ZF2018-01

fixed_packages

url pkg:composer/zendframework/zendframework@2.5.0

purl pkg:composer/zendframework/zendframework@2.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8fwb-56kb-jubf

vulnerability	VCID-njsg-e1w1-9qcy

vulnerability	VCID-vmut-b2y4-rkcp

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework@2.5.0

aliases ZF2018-01

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wz4g-j8zt-ruff

url VCID-zfzg-uw7s-byhp

vulnerability_id VCID-zfzg-uw7s-byhp

summary

ZendFramework potential remote code execution in zend-mail via Sendmail adapter
When using the zend-mail component to send email via the `Zend\Mail\Transport\Sendmail transport`, a malicious user may be able to inject arbitrary parameters to the system sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability.

references

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2016-04.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2016-04.yaml

reference_url

https://github.com/zendframework/zendframework

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/zendframework/zendframework

reference_url

https://github.com/zendframework/zendframework/commit/7c1e89815f5a9c016f4b8088e59b07cb2bf99dc0

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/zendframework/zendframework/commit/7c1e89815f5a9c016f4b8088e59b07cb2bf99dc0

reference_url

https://web.archive.org/web/20201107093523/https://framework.zend.com/security/advisory/ZF2016-04

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20201107093523/https://framework.zend.com/security/advisory/ZF2016-04

reference_url

https://github.com/advisories/GHSA-gff2-p6vm-3p8g

reference_id

GHSA-gff2-p6vm-3p8g

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-gff2-p6vm-3p8g

fixed_packages

url pkg:composer/zendframework/zendframework@2.4.11

purl pkg:composer/zendframework/zendframework@2.4.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8d1t-m4zy-dkf4

vulnerability	VCID-wz4g-j8zt-ruff

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework@2.4.11

aliases GHSA-gff2-p6vm-3p8g

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zfzg-uw7s-byhp

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework@2.4.10

Package Instance