CVE-2013-1824

The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=188c196d4da60bdde9190d2fc532650d17f7af2d
http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=afe98b7829d50806559acac9b530acb8283c3bf4
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html	Broken Link Mailing List
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1824.html	Third Party Advisory
http://support.apple.com/kb/HT5880	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=918187	Issue Tracking Patch Third Party Advisory
http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=188c196d4da60bdde9190d2fc532650d17f7af2d
http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=afe98b7829d50806559acac9b530acb8283c3bf4
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html	Broken Link Mailing List
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1824.html	Third Party Advisory
http://support.apple.com/kb/HT5880	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=918187	Issue Tracking Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux:5:::::::*
	cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*

Configuration 2 (hide)

cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*

Configuration 3 (hide)

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::

History

21 Nov 2024, 01:50

Type	Values Removed	Values Added
References	~~() http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=188c196d4da60bdde9190d2fc532650d17f7af2d -~~	() http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=188c196d4da60bdde9190d2fc532650d17f7af2d -
References	~~() http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=afe98b7829d50806559acac9b530acb8283c3bf4 -~~	() http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=afe98b7829d50806559acac9b530acb8283c3bf4 -
References	~~() http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html - Broken Link, Mailing List~~	() http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html - Broken Link, Mailing List
References	~~() http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1824.html - Third Party Advisory~~	() http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1824.html - Third Party Advisory
References	~~() http://support.apple.com/kb/HT5880 - Third Party Advisory~~	() http://support.apple.com/kb/HT5880 - Third Party Advisory
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=918187 - Issue Tracking, Patch, Third Party Advisory~~	() https://bugzilla.redhat.com/show_bug.cgi?id=918187 - Issue Tracking, Patch, Third Party Advisory

Information

Published : 2013-09-16 13:02

Updated : 2025-04-11 00:51

NVD link : CVE-2013-1824

Mitre link : CVE-2013-1824

CVE.ORG link : CVE-2013-1824

JSON object : View

Products Affected

apple

mac_os_x

redhat

enterprise_linux

php

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2013-1824", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2013-09-16T13:02:34.627", "references": [{"url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=188c196d4da60bdde9190d2fc532650d17f7af2d", "source": "secalert@redhat.com"}, {"url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=afe98b7829d50806559acac9b530acb8283c3bf4", "source": "secalert@redhat.com"}, {"url": "http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html", "tags": ["Broken Link", "Mailing List"], "source": "secalert@redhat.com"}, {"url": "http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1824.html", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "http://support.apple.com/kb/HT5880", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=918187", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=188c196d4da60bdde9190d2fc532650d17f7af2d", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=afe98b7829d50806559acac9b530acb8283c3bf4", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html", "tags": ["Broken Link", "Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1824.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://support.apple.com/kb/HT5880", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=918187", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions."}, {"lang": "es", "value": "El validador SOAP en PHP anterior a 5.3.22 y 5.4.x anterior a 5.4.12 permite a atacantes remotos leer archivos a discrecci\u00f3n a trav\u00e9s de un archivo SOAP WSDL que contenga una declaraci\u00f3n de entidad XML externa en conjunto con una referencia de entidad, relacionada con un problema de XML External Entity (XXE) en las funciones soap_xmlParseFile y soap_xmlParseMemory."}], "lastModified": "2025-04-11T00:51:21.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AA9B3CC0-DF1C-4A86-B2A3-A9D428A5A6E6"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB569AA1-5B0E-464F-85C8-5689613816C9", "versionEndExcluding": "10.8.5", "versionStartIncluding": "10.0.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "42220E0E-A2BF-4C14-A5CD-53B5492F5D47", "versionEndExcluding": "5.3.22"}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3A175B9F-F513-4750-A976-2FC5B4122077", "versionEndExcluding": "5.4.12", "versionStartIncluding": "5.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}

4.3 /10