Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-tpdc-c3mz-zyd2

Summary

Several Zend Products Vulnerable to XXE and XEE attacks
Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.

Aliases

alias	CVE-2014-2682

alias	GHSA-gp39-h9c2-qw79

Fixed_packages

url	pkg:composer/zendframework/zendframework1@1.12.4
purl	pkg:composer/zendframework/zendframework1@1.12.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.12.4

url	pkg:composer/zendframework/zendopenid@2.0.2
purl	pkg:composer/zendframework/zendopenid@2.0.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendopenid@2.0.2

url	pkg:composer/zendframework/zendrest@2.0.2
purl	pkg:composer/zendframework/zendrest@2.0.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendrest@2.0.2

url	pkg:composer/zendframework/zendservice-amazon@2.0.3
purl	pkg:composer/zendframework/zendservice-amazon@2.0.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendservice-amazon@2.0.3

url	pkg:composer/zendframework/zendservice-api@1.0.0
purl	pkg:composer/zendframework/zendservice-api@1.0.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendservice-api@1.0.0

url	pkg:composer/zendframework/zendservice-audioscrobbler@2.0.2
purl	pkg:composer/zendframework/zendservice-audioscrobbler@2.0.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendservice-audioscrobbler@2.0.2

url	pkg:composer/zendframework/zendservice-nirvanix@2.0.2
purl	pkg:composer/zendframework/zendservice-nirvanix@2.0.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendservice-nirvanix@2.0.2

url	pkg:composer/zendframework/zendservice-slideshare@2.0.2
purl	pkg:composer/zendframework/zendservice-slideshare@2.0.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendservice-slideshare@2.0.2

url	pkg:composer/zendframework/zendservice-technorati@2.0.2
purl	pkg:composer/zendframework/zendservice-technorati@2.0.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendservice-technorati@2.0.2

url	pkg:composer/zendframework/zendservice-windowsazure@2.0.2
purl	pkg:composer/zendframework/zendservice-windowsazure@2.0.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendservice-windowsazure@2.0.2

Affected_packages

References

reference_url	http://advisories.mageia.org/MGASA-2014-0151.html
reference_id
reference_type
scores
url	http://advisories.mageia.org/MGASA-2014-0151.html

reference_url	http://framework.zend.com/security/advisory/ZF2014-01
reference_id
reference_type
scores
url	http://framework.zend.com/security/advisory/ZF2014-01

reference_url	http://seclists.org/oss-sec/2014/q2/0
reference_id
reference_type
scores
url	http://seclists.org/oss-sec/2014/q2/0

reference_url	https://web.archive.org/web/20140419041226/http://www.securityfocus.com/bid/66358
reference_id
reference_type
scores
url	https://web.archive.org/web/20140419041226/http://www.securityfocus.com/bid/66358

reference_url	https://web.archive.org/web/20150523055201/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:072/?name=MDVSA-2014:072
reference_id
reference_type
scores
url	https://web.archive.org/web/20150523055201/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:072/?name=MDVSA-2014:072

reference_url	http://www.debian.org/security/2015/dsa-3265
reference_id
reference_type
scores
url	http://www.debian.org/security/2015/dsa-3265

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2014-2682
reference_id	CVE-2014-2682
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2014-2682

reference_url	https://github.com/advisories/GHSA-gp39-h9c2-qw79
reference_id	GHSA-gp39-h9c2-qw79
reference_type
scores
url	https://github.com/advisories/GHSA-gp39-h9c2-qw79

Weaknesses

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

cwe_id	19
name	Data Processing Errors
description	Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tpdc-c3mz-zyd2

Vulnerability Instance