CVE-2014-2681

Name of the Vulnerable Software and Affected Versions Zend Framework 1 versions 1.12.3 and earlier Zend Framework 2 versions 2.1.5 and earlier, 2.2.x versions 2.2.5 and earlier ZendOpenId version 2.0.1 and earlier ZendRest version 2.0.1 and earlier ZendService AudioScrobbler version 2.0.1 and earlier ZendService Nirvanix version 2.0.1 and earlier ZendService SlideShare version 2.0.1 and earlier ZendService Technorati version 2.0.1 and earlier ZendService WindowsAzure version 2.0.1 and earlier ZendService Amazon version 2.0.2 and earlier ZendService Api version 0.9.9 and earlier

Description The issue allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service via an XML External Entity (XXE) attack. This occurs due to an incomplete fix for a previous issue.

Recommendations For Zend Framework 1 versions 1.12.3 and earlier, update to version 1.12.4 or later. For Zend Framework 2 versions 2.1.5 and earlier, update to version 2.1.6 or later. For Zend Framework 2 versions 2.2.x 2.2.5 and earlier, update to version 2.2.6 or later. For ZendOpenId version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendRest version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService AudioScrobbler version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService Nirvanix version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService SlideShare version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService Technorati version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService WindowsAzure version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService Amazon version 2.0.2 and earlier, update to version 2.0.3 or later. For ZendService Api version 0.9.9 and earlier, update to version 1.0.0 or later.