Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/zendframework/zend-diactoros@1.3.2

Type composer

Namespace zendframework

Name zend-diactoros

Version 1.3.2

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.8.4

Latest_non_vulnerable_version 1.8.4

Affected_by_vulnerabilities

url VCID-dzed-egaa-jyfd

vulnerability_id VCID-dzed-egaa-jyfd

summary

Zend-Diactoros URL Rewrite vulnerability
zend-diactoros (and, by extension, Expressive), zend-http (and, by extension, Zend Framework MVC projects), and zend-feed (specifically, its PubSubHubbub sub-component) each contain a potential URL rewrite exploit. In each case, marshaling a request URI includes logic that introspects HTTP request headers that are specific to a given server-side URL rewrite mechanism.

When these headers are present on systems not running the specific URL rewriting mechanism, the logic would still trigger, allowing a malicious client or proxy to emulate the headers to request arbitrary content.

references

reference_url

https://framework.zend.com/security/advisory/ZF2018-01

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://framework.zend.com/security/advisory/ZF2018-01

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-diactoros/ZF2018-01.yaml

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-diactoros/ZF2018-01.yaml

reference_url

https://github.com/zendframework/zend-diactoros

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/zendframework/zend-diactoros

reference_url

https://github.com/zendframework/zend-diactoros/commit/3a4f44f7f89f7007f3c3e4ca69ac23874f8a4093

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/zendframework/zend-diactoros/commit/3a4f44f7f89f7007f3c3e4ca69ac23874f8a4093

reference_url

https://github.com/zendframework/zend-diactoros/commit/736ffa7c2bfa4a60e8a10acb316fa2ac456c5fba

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/zendframework/zend-diactoros/commit/736ffa7c2bfa4a60e8a10acb316fa2ac456c5fba

reference_url

https://github.com/advisories/GHSA-fq4p-86hh-42v9

reference_id

GHSA-fq4p-86hh-42v9

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-fq4p-86hh-42v9

fixed_packages

url	pkg:composer/zendframework/zend-diactoros@1.8.4
purl	pkg:composer/zendframework/zend-diactoros@1.8.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-diactoros@1.8.4

aliases GHSA-fq4p-86hh-42v9

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dzed-egaa-jyfd

url VCID-ktqb-v8q6-wuh9

vulnerability_id VCID-ktqb-v8q6-wuh9

summary

URL Rewrite vulnerability in multiple zendframework components
zend-diactoros (and, by extension, Expressive), zend-http (and, by extension, Zend Framework MVC projects), and zend-feed (specifically, its PubSubHubbub sub-component) each contain a potential URL rewrite exploit. In each case, marshaling a request URI includes logic that introspects HTTP request headers that are specific to a given server-side URL rewrite mechanism.

When these headers are present on systems not running the specific URL rewriting mechanism, the logic would still trigger, allowing a malicious client or proxy to emulate the headers to request arbitrary content.

references

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-diactoros/ZF2018-01.yaml

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-diactoros/ZF2018-01.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-feed/ZF2018-01.yaml

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-feed/ZF2018-01.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-http/ZF2018-01.yaml

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-http/ZF2018-01.yaml

reference_url

https://github.com/advisories/GHSA-f6p5-76fp-m248

reference_id

GHSA-f6p5-76fp-m248

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-f6p5-76fp-m248

fixed_packages

url	pkg:composer/zendframework/zend-diactoros@1.8.4
purl	pkg:composer/zendframework/zend-diactoros@1.8.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-diactoros@1.8.4

aliases GHSA-f6p5-76fp-m248, GMS-2022-1062, GMS-2022-1063, GMS-2022-1064

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ktqb-v8q6-wuh9

url VCID-wz4g-j8zt-ruff

vulnerability_id VCID-wz4g-j8zt-ruff

summary

URL Redirection to Untrusted Site (Open Redirect)
URL Rewrite vulnerability.

references

reference_url	https://framework.zend.com/security/advisory/ZF2018-01
reference_id
reference_type
scores
url	https://framework.zend.com/security/advisory/ZF2018-01

fixed_packages

url	pkg:composer/zendframework/zend-diactoros@1.8.4
purl	pkg:composer/zendframework/zend-diactoros@1.8.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-diactoros@1.8.4

aliases ZF2018-01

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wz4g-j8zt-ruff

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-diactoros@1.3.2

Package Instance