CVE-2014-2683

Name: CVE-2014-2683
Creator: NVD / NIST
Published: 2014-11-16T00:59:03.92+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 2.37%

Last modified Jun 17, 2026

CVE-2014-2683 is a vulnerability of currently unknown severity. Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532.. EPSS estimates a 2.37% chance of exploitation in the next 30 days.

Description

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532.

Metrics

EPSS Probability

2.37%

81.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-17

Affected Software

Vendor	Product	Versions
Zend	Zendrest	<= 2.0.1
Zend	Zend Framework	< 1.12.4
Zend	Zend Framework	>= 2.1.0, < 2.1.6
Zend	Zend Framework	>= 2.2.0, < 2.2.6
Zend	Zendservice Slideshare	<= 2.0.1
Zend	Zendservice Api	<= 1.0.0
Zend	Zendservice Audioscrobbler	<= 2.0.1
Zend	Zendservice Amazon	<= 2.0.2
Zend	Zendservice Technorati	<= 2.0.1
Zend	Zendservice Windowsazure	<= 2.0.1
Zend	Zendopenid	<= 2.0.1
Zend	Zendservice Nirvanix	<= 2.0.1

References

http://advisories.mageia.org/MGASA-2014-0151.htmlThird Party Advisory
http://framework.zend.com/security/advisory/ZF2014-01Vendor Advisory
http://seclists.org/oss-sec/2014/q2/0Mailing List, Third Party Advisory
http://www.debian.org/security/2015/dsa-3265Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2014:072Third Party Advisory
http://www.securityfocus.com/bid/66358Third Party Advisory, VDB Entry
http://advisories.mageia.org/MGASA-2014-0151.htmlThird Party Advisory
http://framework.zend.com/security/advisory/ZF2014-01Vendor Advisory
http://seclists.org/oss-sec/2014/q2/0Mailing List, Third Party Advisory
http://www.debian.org/security/2015/dsa-3265Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2014:072Third Party Advisory
http://www.securityfocus.com/bid/66358Third Party Advisory, VDB Entry

Timeline

Published: Nov 16, 2014
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2014-2683?

How severe is CVE-2014-2683?

Severity scoring for CVE-2014-2683 is pending analysis. The EPSS model estimates a 2.37% probability of exploitation in the next 30 days.

How do I fix CVE-2014-2683?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2014-2683?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST