GitHub Advisory DatabaseGHSA-MG7H-9QFX-4R83ZendFramework Potential Proxy Injection Vulnerabilities
7.1 High
AI Score
Confidence
Low
Zend\Session\Validator\RemoteAddr and Zend\View\Helper\ServerUrl were found to be improperly parsing HTTP headers for proxy information, which could potentially allow an attacker to spoof a proxied IP or host name.
In Zend\Session\Validator\RemoteAddr, if the client is behind a proxy server, the detection of the proxy URL was incorrect, and could lead to invalid results on subsequent lookups.
In Zend\View\Helper\ServerUrl, if the server lives behind a proxy, the helper would always generate a URL based on the proxy host, regardless of whether or not this was desired; additionally, it did not take into account the proxy port or protocol, if provided.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| zendframework/zendframework | lt | 2.0.5 |
References
framework.zend.com/security/advisory/ZF2012-04
github.com/advisories/GHSA-mg7h-9qfx-4r83
github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2012-04.yaml
github.com/zendframework/zendframework/commit/1040acaf70d297ec7214934d8ddc3e811d249b5c
github.com/zendframework/zendframework/commit/ad8fdc3378710b7cfbe2a271dbb0e3256cffb599
github.com/zendframework/zendframework/commit/ada1fab92f6d5c7ad96c5a63f3196d925e3f5887
github.com/zendframework/zendframework/commit/b914ecdd4d17ab5b61f15ccdc02a6e9b255b15d8
github.com/zendframework/zendframework/commit/c3819abbf2c9571069c893d27ae6170bda413925
github.com/zendframework/zendframework/commit/cfaf5ea095c93f3e70343358a3a88c3924d7ed7d
7.1 High
AI Score
Confidence
Low