Vulnerability CVE-2015-3154

Vulnerability Name:

CVE-2015-3154 (CCN-175624)

Assigned:

2015-05-17

Published:

2015-05-17

Updated:

2020-01-30

Summary:

CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.

CVSS v3 Severity:

6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-74

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2015-3154

Source: CONFIRM
Type: Exploit, Vendor Advisory
http://framework.zend.com/security/advisory/ZF2015-04

Source: XF
Type: UNKNOWN
zend-cve20153154-response-splitting(175624)

Source: CCN
Type: Zend Framework ZF2015-04
Potential CRLF injection attacks in mail and HTTP headers

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2015-3154

Vulnerable Configuration:

Configuration 1:

cpe:/a:zend:zend_framework:*:*:*:*:*:*:*:* (Version < 1.12.12)

OR cpe:/a:zend:zend_framework:*:*:*:*:*:*:*:* (Version >= 2.3.0 and < 2.3.8)

OR cpe:/a:zend:zend_framework:*:*:*:*:*:*:*:* (Version >= 2.4.0 and < 2.4.1)

Configuration CCN 1:

cpe:/a:zend:zend_framework:*:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.bionic:def:201531540000000	V	CVE-2015-3154 on Ubuntu 18.04 LTS (bionic) - medium.	2020-01-27
oval:com.ubuntu.xenial:def:201531540000000	V	CVE-2015-3154 on Ubuntu 16.04 LTS (xenial) - medium.	2020-01-27
oval:org.cisecurity:def:69	P	DSA-3265-1 -- zendframework -- security update	2016-02-08
oval:com.ubuntu.cosmic:def:201531540000000	V	CVE-2015-3154 on Ubuntu 18.10 (cosmic) - medium.	2015-05-08
oval:com.ubuntu.artful:def:20153154000	V	CVE-2015-3154 on Ubuntu 17.10 (artful) - medium.	2015-05-08
oval:com.ubuntu.trusty:def:20153154000	V	CVE-2015-3154 on Ubuntu 14.04 LTS (trusty) - medium.	2015-05-08
oval:com.ubuntu.bionic:def:20153154000	V	CVE-2015-3154 on Ubuntu 18.04 LTS (bionic) - medium.	2015-05-08
oval:com.ubuntu.xenial:def:20153154000	V	CVE-2015-3154 on Ubuntu 16.04 LTS (xenial) - medium.	2015-05-08
oval:com.ubuntu.cosmic:def:20153154000	V	CVE-2015-3154 on Ubuntu 18.10 (cosmic) - medium.	2015-05-08
oval:com.ubuntu.precise:def:20153154000	V	CVE-2015-3154 on Ubuntu 12.04 LTS (precise) - medium.	2015-05-08

BACK