Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Zend Framework < 2.3.8 / 2.4.x < 2.4.1 HTTP Response Splitting

Medium

Synopsis

The remote host is using a version of Zend Framework that is vulnerable to HTTP response splitting attacks.

Description

Versions of Zend Framework earlier than 2.3.8, or 2.4.x earlier than 2.4.1 are vulnerable to a flaw in the 'Zend\Mail' and 'Zend\Http' components that is triggered as CRLF (Carriage Return and Line Feed) character sequences are not properly sanitized before being included in responses. This allows a context-dependent attacker to inject additional headers into responses to conduct HTTP response splitting attacks.

Solution

Upgrade Zend Framework to version 2.4.1 or later. If version 2.4.x is not available, version 2.3.8 is also patched for these vulnerabilities.