CVE-2014-2683

Name of the Vulnerable Software and Affected Versions Zend Framework 1 versions 1.12.3 and earlier Zend Framework 2 versions 2.1.5 and earlier, 2.2.x versions 2.2.5 and earlier ZendOpenId version 2.0.1 and earlier ZendRest version 2.0.1 and earlier ZendService AudioScrobbler version 2.0.1 and earlier ZendService Nirvanix version 2.0.1 and earlier ZendService SlideShare version 2.0.1 and earlier ZendService Technorati version 2.0.1 and earlier ZendService WindowsAzure version 2.0.1 and earlier ZendService Amazon version 2.0.2 and earlier ZendService Api version 1.0.0 and earlier

Description The issue allows remote attackers to cause a denial of service (CPU consumption) via recursive or circular references in an XML entity definition in an XML DOCTYPE declaration, also known as an XML Entity Expansion (XEE) attack.

Recommendations Update to Zend Framework 1 version 1.12.4 or later Update to Zend Framework 2 version 2.1.6 or later, or 2.2.x version 2.2.6 or later Update to ZendOpenId version 2.0.2 or later Update to ZendRest version 2.0.2 or later Update to ZendService AudioScrobbler version 2.0.2 or later Update to ZendService Nirvanix version 2.0.2 or later Update to ZendService SlideShare version 2.0.2 or later Update to ZendService Technorati version 2.0.2 or later Update to ZendService WindowsAzure version 2.0.2 or later Update to ZendService Amazon version 2.0.3 or later Update to ZendService Api version 1.0.0 or later