CVE-2021-3007

** DISPUTED ** Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:getlaminas:laminas-http:*:*:*:*:*:*:*:*
cpe:2.3:a:zend:zend_framework:3.0.0:*:*:*:*:*:*:*

History

27 May 2022, 13:28

Type Values Removed Values Added
References (MISC) https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ - (MISC) https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ - Exploit, Third Party Advisory

Information

Published : 2021-01-04 03:15

Updated : 2024-08-03 17:15


NVD link : CVE-2021-3007

Mitre link : CVE-2021-3007

CVE.ORG link : CVE-2021-3007


JSON object : View

Products Affected

zend

  • zend_framework

getlaminas

  • laminas-http
CWE
CWE-502

Deserialization of Untrusted Data