Zend Framework < 2.3.8 / 2.4.x < 2.4.1 HTTP Response Splitting
Medium Nessus Network Monitor Plugin ID 9138
SynopsisThe remote host is using a version of Zend Framework that is vulnerable to HTTP response splitting attacks.
DescriptionVersions of Zend Framework earlier than 2.3.8, or 2.4.x earlier than 2.4.1 are vulnerable to a flaw in the 'Zend\Mail' and 'Zend\Http' components that is triggered as CRLF (Carriage Return and Line Feed) character sequences are not properly sanitized before being included in responses. This allows a context-dependent attacker to inject additional headers into responses to conduct HTTP response splitting attacks.
SolutionUpgrade Zend Framework to version 2.4.1 or later. If version 2.4.x is not available, version 2.3.8 is also patched for these vulnerabilities.