PT-2024-40371 · Unknown · Zend Framework
Published
2024-06-07
·
Updated
2024-06-07
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Zend Framework (affected versions not specified)
Description
The issue concerns improper parsing of HTTP headers for proxy information in certain Zend Framework components. Specifically,
ZendSessionValidatorRemoteAddr and ZendViewHelperServerUrl were found to have flaws. The ZendSessionValidatorRemoteAddr component incorrectly detects the proxy URL when a client is behind a proxy server, leading to potential invalid results. The ZendViewHelperServerUrl component generates URLs based on the proxy host without considering whether this is desired, and it also fails to account for the proxy port or protocol.Recommendations
For versions of Zend Framework that include the vulnerable
ZendSessionValidatorRemoteAddr and ZendViewHelperServerUrl components, consider the following:- As a temporary workaround, restrict the use of the
ZendSessionValidatorRemoteAddrandZendViewHelperServerUrlclasses until a patch is available. - Avoid using the
ZendViewHelperServerUrlhelper to generate URLs when the server is behind a proxy, until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zend Framework