Vulnerable Library - zendframework/zend-http-2.4.13
Http component from Zend Framework
Found in HEAD commit: a03f21d27ef1015e6e796ec7e1023b1b8ec8f781
Vulnerabilities
| CVE |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (zendframework/zend-http version) |
Remediation Possible** |
| WS-2022-0124 |
 Critical |
9.1 |
zendframework/zend-http-2.4.13 |
Direct |
zendframework/zend-diactoros - 1.8.4,zendframework/zend-feed - 2.10.3,zendframework/zend-http - 2.8.1 |
❌ |
| WS-2018-0158 |
 Medium |
6.5 |
zendframework/zend-http-2.4.13 |
Direct |
1.8.4,2.8.1,2.10.3 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2022-0124
Vulnerable Library - zendframework/zend-http-2.4.13
Http component from Zend Framework
Dependency Hierarchy:
- ❌ zendframework/zend-http-2.4.13 (Vulnerable Library)
Found in HEAD commit: a03f21d27ef1015e6e796ec7e1023b1b8ec8f781
Found in base branch: 2.0
Vulnerability Details
zend-diactoros (and, by extension, Expressive), zend-http (and, by extension, Zend Framework MVC projects), and zend-feed (specifically, its PubSubHubbub sub-component) each contain a potential URL rewrite exploit. In each case, marshaling a request URI includes logic that introspects HTTP request headers that are specific to a given server-side URL rewrite mechanism.
When these headers are present on systems not running the specific URL rewriting mechanism, the logic would still trigger, allowing a malicious client or proxy to emulate the headers to request arbitrary content.
Publish Date: 2022-04-29
URL: WS-2022-0124
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-f6p5-76fp-m248
Release Date: 2022-04-29
Fix Resolution: zendframework/zend-diactoros - 1.8.4,zendframework/zend-feed - 2.10.3,zendframework/zend-http - 2.8.1
WS-2018-0158
Vulnerable Library - zendframework/zend-http-2.4.13
Http component from Zend Framework
Dependency Hierarchy:
- ❌ zendframework/zend-http-2.4.13 (Vulnerable Library)
Found in HEAD commit: a03f21d27ef1015e6e796ec7e1023b1b8ec8f781
Found in base branch: 2.0
Vulnerability Details
URL Rewrite vulnerability in zendframework which is exist in projects zend-diactoros before version 1.8.4, in zend-http before version 2.8.1 and in zend-feed before version 2.10.3. In each case, marshaling a request URI includes logic that introspects HTTP request headers that are specific to a given server-side URL rewrite mechanism.
Publish Date: 2018-08-01
URL: WS-2018-0158
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://framework.zend.com/security/advisory/ZF2018-01
Release Date: 2018-01-07
Fix Resolution: 1.8.4,2.8.1,2.10.3
Http component from Zend Framework
Found in HEAD commit: a03f21d27ef1015e6e796ec7e1023b1b8ec8f781
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - zendframework/zend-http-2.4.13
Http component from Zend Framework
Dependency Hierarchy:
Found in HEAD commit: a03f21d27ef1015e6e796ec7e1023b1b8ec8f781
Found in base branch: 2.0
Vulnerability Details
zend-diactoros (and, by extension, Expressive), zend-http (and, by extension, Zend Framework MVC projects), and zend-feed (specifically, its PubSubHubbub sub-component) each contain a potential URL rewrite exploit. In each case, marshaling a request URI includes logic that introspects HTTP request headers that are specific to a given server-side URL rewrite mechanism.
When these headers are present on systems not running the specific URL rewriting mechanism, the logic would still trigger, allowing a malicious client or proxy to emulate the headers to request arbitrary content.
Publish Date: 2022-04-29
URL: WS-2022-0124
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-f6p5-76fp-m248
Release Date: 2022-04-29
Fix Resolution: zendframework/zend-diactoros - 1.8.4,zendframework/zend-feed - 2.10.3,zendframework/zend-http - 2.8.1
Vulnerable Library - zendframework/zend-http-2.4.13
Http component from Zend Framework
Dependency Hierarchy:
Found in HEAD commit: a03f21d27ef1015e6e796ec7e1023b1b8ec8f781
Found in base branch: 2.0
Vulnerability Details
URL Rewrite vulnerability in zendframework which is exist in projects zend-diactoros before version 1.8.4, in zend-http before version 2.8.1 and in zend-feed before version 2.10.3. In each case, marshaling a request URI includes logic that introspects HTTP request headers that are specific to a given server-side URL rewrite mechanism.
Publish Date: 2018-08-01
URL: WS-2018-0158
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://framework.zend.com/security/advisory/ZF2018-01
Release Date: 2018-01-07
Fix Resolution: 1.8.4,2.8.1,2.10.3