CVE-2014-2682

Name: CVE-2014-2682
Creator: NVD / NIST
Published: 2014-11-16T00:59:02.827+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 2.16%

Last modified Jun 17, 2026

CVE-2014-2682 is a vulnerability of currently unknown severity. Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.. EPSS estimates a 2.16% chance of exploitation in the next 30 days.

Description

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.

Metrics

EPSS Probability

2.16%

79.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-19

Affected Software

Vendor	Product	Versions
Zend	Zendrest	<= 2.0.1
Zend	Zend Framework	< 1.12.4
Zend	Zend Framework	>= 2.1.0, < 2.1.6
Zend	Zend Framework	>= 2.2.0, < 2.2.6
Zend	Zendservice Slideshare	<= 2.0.1
Zend	Zendservice Api	<= 1.0.0
Zend	Zendservice Audioscrobbler	<= 2.0.1
Zend	Zendservice Amazon	<= 2.0.2
Zend	Zendservice Technorati	<= 2.0.1
Zend	Zendservice Windowsazure	<= 2.0.1
Zend	Zendopenid	<= 2.0.1
Zend	Zendservice Nirvanix	<= 2.0.1

References

http://advisories.mageia.org/MGASA-2014-0151.htmlThird Party Advisory
http://framework.zend.com/security/advisory/ZF2014-01Vendor Advisory
http://seclists.org/oss-sec/2014/q2/0Mailing List, Third Party Advisory
http://www.debian.org/security/2015/dsa-3265Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2014:072Third Party Advisory
http://www.securityfocus.com/bid/66358Third Party Advisory, VDB Entry
http://advisories.mageia.org/MGASA-2014-0151.htmlThird Party Advisory
http://framework.zend.com/security/advisory/ZF2014-01Vendor Advisory
http://seclists.org/oss-sec/2014/q2/0Mailing List, Third Party Advisory
http://www.debian.org/security/2015/dsa-3265Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2014:072Third Party Advisory
http://www.securityfocus.com/bid/66358Third Party Advisory, VDB Entry

Timeline

Published: Nov 16, 2014
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2014-2682?

How severe is CVE-2014-2682?

Severity scoring for CVE-2014-2682 is pending analysis. The EPSS model estimates a 2.16% probability of exploitation in the next 30 days.

How do I fix CVE-2014-2682?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2014-2682?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST