Vulnerability Name:

CVE-2012-3363 (CCN-76533)

Assigned:2012-06-26
Published:2012-06-26
Updated:2013-12-05
Summary:Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
5.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.9 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2012-3363

Source: CCN
Type: ZF2012-01
Local file disclosure via XXE injection in Zend_XmlRpc

Source: CONFIRM
Type: UNKNOWN
http://framework.zend.com/security/advisory/ZF2012-01

Source: CONFIRM
Type: UNKNOWN
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284

Source: FEDORA
Type: UNKNOWN
FEDORA-2013-4404

Source: FEDORA
Type: UNKNOWN
FEDORA-2013-4387

Source: MLIST
Type: UNKNOWN
[oss-security] 20130325 Moodle security notifications public

Source: CCN
Type: Packetstorm Security Website
Zend Framework XXE Injection

Source: CCN
Type: SA49665
Zend Framework "Zend_XmlRpc" XML Entity References Information Disclosure Vulnerability

Source: CCN
Type: SA49866
Magento Zend Framework XML Entity References Information Disclosure Vulnerability

Source: DEBIAN
Type: UNKNOWN
DSA-2505

Source: DEBIAN
Type: DSA-2505
zendframework -- information disclosure

Source: MLIST
Type: UNKNOWN
[oss-security] 20120626 XXE in Zend

Source: MLIST
Type: UNKNOWN
[oss-security] 20120626 Re: XXE in Zend

Source: MLIST
Type: UNKNOWN
[oss-security] 20120627 Re: XXE in Zend

Source: CCN
Type: BID-54192
Zend Framework 'Zend_XmlRpc' Class Information Disclosure Vulnerability

Source: SECTRACK
Type: UNKNOWN
1027208

Source: XF
Type: UNKNOWN
zendframework-zendxmlrpc-info-disc(76533)

Source: CCN
Type: MSA-13-0016
External Entity Injection through Zend library

Source: CONFIRM
Type: UNKNOWN
https://moodle.org/mod/forum/discuss.php?d=225345

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [07-13-2012]

Source: CCN
Type: SEC Consult Vulnerability Lab Security Advisory < 20120626-0 >
Local file disclosure via XXE injection

Source: MISC
Type: UNKNOWN
https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt

Vulnerable Configuration:Configuration 1:
  • cpe:/a:zend:zend_framework:1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.0.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.0.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.0.0:rc2a:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.0.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.5.0:pl:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.5.0:pr:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.5.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.5.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.5.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.6.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.6.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.6.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.7.0:pl1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.7.0:pr:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.7.2:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.7.3:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.7.3:pl1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.7.4:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.7.5:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.7.6:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.7.7:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.7.8:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.7.9:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.8.0:a1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.8.0:b1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.8.1:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.8.2:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.8.3:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.8.4:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.8.4:pl1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.8.5:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.9.0:a1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.9.0:b1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.9.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.9.1:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.9.2:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.9.3:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.9.3:pl1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.9.4:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.9.5:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.9.6:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.9.7:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.9.8:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.10.0:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.10.0:alpha1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.10.0:beta1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.10.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.10.1:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.10.2:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.10.3:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.10.4:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.10.5:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.10.6:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.10.7:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.10.8:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.10.9:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.11.0:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.11.0:b1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.11.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.11.1:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.11.2:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.11.3:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.11.4:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.11.5:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.11.6:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.11.7:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.11.8:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.11.9:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.11.10:*:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.11.11:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:zend:zend_framework:1.12.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.12.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.12.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:zend:zend_framework:1.12.0:rc4:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:moodle:moodle:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:moodle:moodle:2.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:moodle:moodle:2.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:moodle:moodle:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:moodle:moodle:2.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:moodle:moodle:2.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:moodle:moodle:2.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:moodle:moodle:2.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:moodle:moodle:2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:moodle:moodle:2.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:moodle:moodle:2.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:moodle:moodle:2.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:moodle:moodle:2.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:moodle:moodle:2.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:moodle:moodle:2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:moodle:moodle:2.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:moodle:moodle:2.2.7:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:18198
    P
    		DSA-2505-1 zendframework - information disclosure
    2014-06-23
    oval:com.ubuntu.cosmic:def:201233630000000
    V
    		CVE-2012-3363 on Ubuntu 18.10 (cosmic) - medium.
    2013-02-13
    oval:com.ubuntu.artful:def:20123363000
    V
    		CVE-2012-3363 on Ubuntu 17.10 (artful) - medium.
    2013-02-13
    oval:com.ubuntu.trusty:def:20123363000
    V
    		CVE-2012-3363 on Ubuntu 14.04 LTS (trusty) - medium.
    2013-02-13
    oval:com.ubuntu.bionic:def:201233630000000
    V
    		CVE-2012-3363 on Ubuntu 18.04 LTS (bionic) - medium.
    2013-02-13
    oval:com.ubuntu.bionic:def:20123363000
    V
    		CVE-2012-3363 on Ubuntu 18.04 LTS (bionic) - medium.
    2013-02-13
    oval:com.ubuntu.xenial:def:20123363000
    V
    		CVE-2012-3363 on Ubuntu 16.04 LTS (xenial) - medium.
    2013-02-13
    oval:com.ubuntu.xenial:def:201233630000000
    V
    		CVE-2012-3363 on Ubuntu 16.04 LTS (xenial) - medium.
    2013-02-13
    oval:com.ubuntu.cosmic:def:20123363000
    V
    		CVE-2012-3363 on Ubuntu 18.10 (cosmic) - medium.
    2013-02-13
    oval:com.ubuntu.precise:def:20123363000
    V
    		CVE-2012-3363 on Ubuntu 12.04 LTS (precise) - medium.
    2013-02-13
    BACK
    zend zend framework 1.0.0
    zend zend framework 1.0.0 rc1
    zend zend framework 1.0.0 rc2
    zend zend framework 1.0.0 rc2a
    zend zend framework 1.0.0 rc3
    zend zend framework 1.0.1
    zend zend framework 1.0.2
    zend zend framework 1.0.3
    zend zend framework 1.0.4
    zend zend framework 1.5.0
    zend zend framework 1.5.0 pl
    zend zend framework 1.5.0 pr
    zend zend framework 1.5.0 rc1
    zend zend framework 1.5.0 rc2
    zend zend framework 1.5.0 rc3
    zend zend framework 1.5.1
    zend zend framework 1.5.2
    zend zend framework 1.5.3
    zend zend framework 1.6.0
    zend zend framework 1.6.0 rc1
    zend zend framework 1.6.0 rc2
    zend zend framework 1.6.0 rc3
    zend zend framework 1.6.1
    zend zend framework 1.6.2
    zend zend framework 1.7.0
    zend zend framework 1.7.0 pl1
    zend zend framework 1.7.0 pr
    zend zend framework 1.7.1
    zend zend framework 1.7.2
    zend zend framework 1.7.3
    zend zend framework 1.7.3 pl1
    zend zend framework 1.7.4
    zend zend framework 1.7.5
    zend zend framework 1.7.6
    zend zend framework 1.7.7
    zend zend framework 1.7.8
    zend zend framework 1.7.9
    zend zend framework 1.8.0
    zend zend framework 1.8.0 a1
    zend zend framework 1.8.0 b1
    zend zend framework 1.8.1
    zend zend framework 1.8.2
    zend zend framework 1.8.3
    zend zend framework 1.8.4
    zend zend framework 1.8.4 pl1
    zend zend framework 1.8.5
    zend zend framework 1.9.0
    zend zend framework 1.9.0 a1
    zend zend framework 1.9.0 b1
    zend zend framework 1.9.0 rc1
    zend zend framework 1.9.1
    zend zend framework 1.9.2
    zend zend framework 1.9.3
    zend zend framework 1.9.3 pl1
    zend zend framework 1.9.4
    zend zend framework 1.9.5
    zend zend framework 1.9.6
    zend zend framework 1.9.7
    zend zend framework 1.9.8
    zend zend framework 1.10.0
    zend zend framework 1.10.0 alpha1
    zend zend framework 1.10.0 beta1
    zend zend framework 1.10.0 rc1
    zend zend framework 1.10.1
    zend zend framework 1.10.2
    zend zend framework 1.10.3
    zend zend framework 1.10.4
    zend zend framework 1.10.5
    zend zend framework 1.10.6
    zend zend framework 1.10.7
    zend zend framework 1.10.8
    zend zend framework 1.10.9
    zend zend framework 1.11.0
    zend zend framework 1.11.0 b1
    zend zend framework 1.11.0 rc1
    zend zend framework 1.11.1
    zend zend framework 1.11.2
    zend zend framework 1.11.3
    zend zend framework 1.11.4
    zend zend framework 1.11.5
    zend zend framework 1.11.6
    zend zend framework 1.11.7
    zend zend framework 1.11.8
    zend zend framework 1.11.9
    zend zend framework 1.11.10
    zend zend framework 1.11.11
    zend zend framework 1.12.0 rc1
    zend zend framework 1.12.0 rc2
    zend zend framework 1.12.0 rc3
    zend zend framework 1.12.0 rc4
    moodle moodle 2.0
    moodle moodle 2.1
    moodle moodle 2.2
    moodle moodle 2.2.1
    moodle moodle 2.3
    moodle moodle 2.2.2
    moodle moodle 2.2.3
    moodle moodle 2.2.4
    moodle moodle 2.3.1
    moodle moodle 2.2.5
    moodle moodle 2.3.2
    moodle moodle 2.3.3
    moodle moodle 2.4
    moodle moodle 2.2.6
    moodle moodle 2.4.1
    moodle moodle 2.3.4
    moodle moodle 2.2.7