CVE-2013-1643

The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-1824.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 79%
Affected Products (NVD)
VendorProductVersion
phpphp
𝑥
≤ 5.3.21
phpphp
1.0
phpphp
2.0
phpphp
2.0b10:b10
phpphp
3.0
phpphp
3.0.1
phpphp
3.0.2
phpphp
3.0.3
phpphp
3.0.4
phpphp
3.0.5
phpphp
3.0.6
phpphp
3.0.7
phpphp
3.0.8
phpphp
3.0.9
phpphp
3.0.10
phpphp
3.0.11
phpphp
3.0.12
phpphp
3.0.13
phpphp
3.0.14
phpphp
3.0.15
phpphp
3.0.16
phpphp
3.0.17
phpphp
3.0.18
phpphp
4.0:beta_4_patch1
phpphp
4.0:beta1
phpphp
4.0:beta2
phpphp
4.0:beta3
phpphp
4.0:beta4
phpphp
4.0.0
phpphp
4.0.1
phpphp
4.0.2
phpphp
4.0.3
phpphp
4.0.4
phpphp
4.0.5
phpphp
4.0.6
phpphp
4.0.7
phpphp
4.1.0
phpphp
4.1.1
phpphp
4.1.2
phpphp
4.2.0
phpphp
4.2.1
phpphp
4.2.2
phpphp
4.2.3
phpphp
4.3.0
phpphp
4.3.1
phpphp
4.3.2
phpphp
4.3.3
phpphp
4.3.4
phpphp
4.3.5
phpphp
4.3.6
phpphp
4.3.7
phpphp
4.3.8
phpphp
4.3.9
phpphp
4.3.10
phpphp
4.3.11
phpphp
4.4.0
phpphp
4.4.1
phpphp
4.4.2
phpphp
4.4.3
phpphp
4.4.4
phpphp
4.4.5
phpphp
4.4.6
phpphp
4.4.7
phpphp
4.4.8
phpphp
4.4.9
phpphp
5.0.0
phpphp
5.0.0:beta1
phpphp
5.0.0:beta2
phpphp
5.0.0:beta3
phpphp
5.0.0:beta4
phpphp
5.0.0:rc1
phpphp
5.0.0:rc2
phpphp
5.0.0:rc3
phpphp
5.0.1
phpphp
5.0.2
phpphp
5.0.3
phpphp
5.0.4
phpphp
5.0.5
phpphp
5.1.0
phpphp
5.1.1
phpphp
5.1.2
phpphp
5.1.3
phpphp
5.1.4
phpphp
5.1.5
phpphp
5.1.6
phpphp
5.2.0
phpphp
5.2.1
phpphp
5.2.2
phpphp
5.2.3
phpphp
5.2.4
phpphp
5.2.5
phpphp
5.2.6
phpphp
5.2.7
phpphp
5.2.8
phpphp
5.2.9
phpphp
5.2.10
phpphp
5.2.11
phpphp
5.2.12
phpphp
5.2.13
phpphp
5.2.14
phpphp
5.2.15
phpphp
5.2.16
phpphp
5.2.17
phpphp
5.3.0
phpphp
5.3.1
phpphp
5.3.2
phpphp
5.3.3
phpphp
5.3.4
phpphp
5.3.5
phpphp
5.3.6
phpphp
5.3.7
phpphp
5.3.8
phpphp
5.3.9
phpphp
5.3.10
phpphp
5.3.11
phpphp
5.3.12
phpphp
5.3.13
phpphp
5.3.14
phpphp
5.3.15
phpphp
5.3.16
phpphp
5.3.17
phpphp
5.3.18
phpphp
5.3.19
phpphp
5.3.20
phpphp
5.4.0
phpphp
5.4.1
phpphp
5.4.2
phpphp
5.4.3
phpphp
5.4.4
phpphp
5.4.5
phpphp
5.4.6
phpphp
5.4.7
phpphp
5.4.8
phpphp
5.4.9
phpphp
5.4.10
phpphp
5.4.11
phpphp
5.4.12
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
php5
hardy
Fixed 5.2.4-2ubuntu5.27
released
lucid
Fixed 5.3.2-1ubuntu4.19
released
oneiric
Fixed 5.3.6-13ubuntu3.10
released
precise
Fixed 5.3.10-1ubuntu3.6
released
quantal
Fixed 5.4.6-1ubuntu1.2
released
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
php
RHEL 6
0:5.3.3-26.el6
fixed
php-bcmath
RHEL 6
0:5.3.3-26.el6
fixed
php-cli
RHEL 6
0:5.3.3-26.el6
fixed
php-common
RHEL 6
0:5.3.3-26.el6
fixed
php-dba
RHEL 6
0:5.3.3-26.el6
fixed
php-devel
RHEL 6
0:5.3.3-26.el6
fixed
php-embedded
RHEL 6
0:5.3.3-26.el6
fixed
php-enchant
RHEL 6
0:5.3.3-26.el6
fixed
php-fpm
RHEL 6
0:5.3.3-26.el6
fixed
php-gd
RHEL 6
0:5.3.3-26.el6
fixed
php-imap
RHEL 6
0:5.3.3-26.el6
fixed
php-intl
RHEL 6
0:5.3.3-26.el6
fixed
php-ldap
RHEL 6
0:5.3.3-26.el6
fixed
php-mbstring
RHEL 6
0:5.3.3-26.el6
fixed
php-mysql
RHEL 6
0:5.3.3-26.el6
fixed
php-odbc
RHEL 6
0:5.3.3-26.el6
fixed
php-pdo
RHEL 6
0:5.3.3-26.el6
fixed
php-pgsql
RHEL 6
0:5.3.3-26.el6
fixed
php-process
RHEL 6
0:5.3.3-26.el6
fixed
php-pspell
RHEL 6
0:5.3.3-26.el6
fixed
php-recode
RHEL 6
0:5.3.3-26.el6
fixed
php-snmp
RHEL 6
0:5.3.3-26.el6
fixed
php-soap
RHEL 6
0:5.3.3-26.el6
fixed
php-tidy
RHEL 6
0:5.3.3-26.el6
fixed
php-xml
RHEL 6
0:5.3.3-26.el6
fixed
php-xmlrpc
RHEL 6
0:5.3.3-26.el6
fixed
php-zts
RHEL 6
0:5.3.3-26.el6
fixed
Common Weakness Enumeration
References
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702221
http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=8e76d0404b7f664ee6719fd98f0483f0ac4669d6
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00034.html
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.html
http://rhn.redhat.com/errata/RHSA-2013-1307.html
http://rhn.redhat.com/errata/RHSA-2013-1615.html
http://secunia.com/advisories/55078
http://support.apple.com/kb/HT5880
http://www.debian.org/security/2013/dsa-2639
http://www.mandriva.com/security/advisories?name=MDVSA-2013:114
http://www.php.net/ChangeLog-5.php
http://www.ubuntu.com/usn/USN-1761-1
https://bugs.gentoo.org/show_bug.cgi?id=459904
https://bugzilla.redhat.com/show_bug.cgi?id=918187
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0101
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702221
http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=8e76d0404b7f664ee6719fd98f0483f0ac4669d6
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00034.html
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.html
http://rhn.redhat.com/errata/RHSA-2013-1307.html
http://rhn.redhat.com/errata/RHSA-2013-1615.html
http://secunia.com/advisories/55078
http://support.apple.com/kb/HT5880
http://www.debian.org/security/2013/dsa-2639
http://www.mandriva.com/security/advisories?name=MDVSA-2013:114
http://www.php.net/ChangeLog-5.php
http://www.ubuntu.com/usn/USN-1761-1
https://bugs.gentoo.org/show_bug.cgi?id=459904
https://bugzilla.redhat.com/show_bug.cgi?id=918187
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0101