Re: Remote code execution in Pimcore CMS

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> It's all the same flaw and the same attack methodology

Probably "attack methodology" wasn't the best phrase to use in the
http://openwall.com/lists/oss-security/2014/04/19/5 post because there
might be multiple common definitions.

The currently available exploit information is that an attack against
versions 1.4.9 to 2.0.0 (inclusive) can use
Zend_Pdf_ElementFactory_Proxy.

Also, an attack against versions 1.4.9 to 2.1.0 (inclusive) can use
Zend_Http_Response_Stream.

The details of a successful attack are not identical for these two
sets of versions. CVE's practice here is to assign two different IDs:

  1.4.9 to 2.0.0: Zend_Pdf_ElementFactory_Proxy = CVE-2014-2921
  1.4.9 to 2.1.0: Zend_Http_Response_Stream =     CVE-2014-2922

The impacts are also different but a difference in impact does not, by
itself, affect the number of CVE IDs. The detailed reason for why
there are different sets of affected versions (e.g., a code change in
2.0.1 to enforce use of certain PHP versions, with some PHP versions
not allowing a malicious.php\0 filename) also does not affect the
number of CVE IDs in this case.

Each CVE depends on the unserialize problem in the context of whether
the version-enforcement code is present or absent.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTVK2rAAoJEKllVAevmvmsmqEIALm75zXacwRz6P+tdvvHrrUw
DjeKcGx6ursnX2N3skFLDE0TBA9zZ3lnAzl26pOuRR6rDsAyHb3blWxb1Wd1GTQk
vzKTU4cBNUzhKjBn0v+l/fepvV1JH7uPVJoI+dUU4wV0Y0z79g1hNKrEOshfetSr
SDLCfh7Qxk9bCIWkJ2jJ+e1iiiF75fd132/skMaZWth/aO8/sh6M9H9T5Re51ikE
UymvKFElYjHRnH5MMBCDxDu9JOR/E82BBxREy3pz7b4iQXwuuBc+gL5KXXe+ZLwf
NsaJ25LjvP5Fe+OYoGcPVKN9d8GehAD8Yj0vwZ69Kn6f0yqijBwDwhnDkBLPl54=
=+ro7
-----END PGP SIGNATURE-----