CVE-2021-3007

Name of the Vulnerable Software and Affected Versions Laminas Project laminas-http versions prior to 2.14.2 Zend Framework version 3.0.0

Description The issue is related to a deserialization vulnerability that can lead to remote code execution if the content is controllable. This is due to the destruct method of the ZendHttpResponseStream class in Stream.php. The laminas-http vendor considers this a vulnerability in the PHP language itself but has added certain type checking as a way to prevent exploitation in use cases where attacker-supplied data can be deserialized. Zend Framework is no longer supported by the maintainer.

Recommendations For Laminas Project laminas-http versions prior to 2.14.2, update to version 2.14.2 or later to resolve the issue. For Zend Framework version 3.0.0, there is no official fix available since the framework is no longer supported by the maintainer. As a temporary workaround, consider disabling the destruct method of the ZendHttpResponseStream class until an alternative solution is found. At the moment, there is no information about a newer version that contains a fix for this vulnerability in Zend Framework.