Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04NDhmLW1waDUtOXBtOc4AA80V
Zendframework Potential Information Disclosure and Insufficient Entropy vulnerability
In Zend Framework, Zend_Captcha_Word (v1) and Zend\Captcha\Word (v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation.
Permalink: https://github.com/advisories/GHSA-848f-mph5-9pm9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NDhmLW1waDUtOXBtOc4AA80V
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 4 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-848f-mph5-9pm9
References:
- https://framework.zend.com/security/advisory/ZF2015-09
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2015-09.yaml
- https://github.com/advisories/GHSA-848f-mph5-9pm9
Affected Packages
packagist:zendframework/zendframework1
Dependent packages: 151Dependent repositories: 841
Downloads: 6,593,837 total
Affected Version Ranges: >= 1.12.0, < 1.12.17
Fixed in: 1.12.17
All affected versions: 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.12.10, 1.12.11, 1.12.12, 1.12.13, 1.12.14, 1.12.15, 1.12.16
All unaffected versions: 1.12.17, 1.12.18, 1.12.19, 1.12.20