Skip to content

CakePHP vulnerable to Denial of Service attack through XML payloads

High severity GitHub Reviewed Published Jan 20, 2023 to the GitHub Advisory Database • Updated Jan 20, 2023

Package

composer cakephp/cakephp (Composer)

Affected versions

>= 3.0.0, < 3.0.6
>= 2.0.0, < 2.0.99
>= 2.1.0, < 2.1.99
>= 2.2.0, < 2.2.99
>= 2.3.0, < 2.3.99
>= 2.4.0, < 2.4.99
>= 2.5.0, < 2.5.90
>= 2.6.0, < 2.6.6

Patched versions

3.0.6
2.0.99
2.1.99
2.2.99
2.3.99
2.4.99
2.5.90
2.6.6

Description

RequestHandlerComponent had a vulnerability that would allow well crafted requests to create a denial of service attack. RequestHandlerComponent leverages Xml::build() which allows reading local files. We recommend that all applications using RequestHandlerComponent upgrade, or disable parsing XML payloads.

References

Published to the GitHub Advisory Database Jan 20, 2023
Reviewed Jan 20, 2023
Last updated Jan 20, 2023

Severity

High

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-q79m-c546-2g63

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.