Bug 1207781 (CVE-2015-1786) - CVE-2015-1786 php-ZendFramework2: invalid CSRF validation of null or incorrectly formatted token identifiers (ZF2015-03)
Summary: CVE-2015-1786 php-ZendFramework2: invalid CSRF validation of null or incorrec...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2015-1786
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1207782 1207783
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-31 16:49 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:31 UTC (History)
4 users (show)

Fixed In Version: Zend Framework 2.3.6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-21 09:37:59 UTC


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-03-31 16:49:14 UTC
Zend\Validator\Csrf, starting in the Zend Framework 2.3 series, was not correctly identifying null or mal-formatted token identifiers, leading to false positive validations, and thus potentially allowing for Cross-Site Request Forgery vectors.

A patch was written that correctly identifies invalid token identifiers, ensuring that they invalidate the provided value.
It was discovered that the vulnerability was introduced specifically in the 2.3 series, and thus no patch was necessary against the 2.2 series.

Comment 1 Vasyl Kaigorodov 2015-03-31 16:49:53 UTC
Created php-ZendFramework2 tracking bugs for this issue:

Affects: fedora-all [bug 1207782]
Affects: epel-all [bug 1207783]

Comment 2 Shawn Iwinski 2015-07-20 02:09:46 UTC
All dependent bugs have been closed, can this tracking bug be closed as well?

Comment 3 Vasyl Kaigorodov 2015-07-21 09:37:59 UTC
Yep, this one can (and should) be closed.
Doing now.


Note You need to log in before you can comment on or make changes to this bug.