Name of the Vulnerable Software and Affected Versions Zend Framework 2 (affected versions not specified)

Description The issue concerns XML Entity Expansion (XEE) attacks, specifically Quadratic Blowup Attacks, which can lead to Denial Of Service attacks against a host's RAM. This is due to the lack of a method to disable custom entities in PHP, defined internal to the XML document without using external entities. An attacker can define a long entity and refer to it multiple times in document elements, creating a memory sink. The use of certain options, such as LIBXML NOENT, can amplify the impact. Additionally, libxml2's defense against related Exponential or Billion Laugh's XEE attacks is only active when the LIBXML PARSEHUGE option is not set.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.