CVE-2016-10034 Zend Framework: potential remote code execution in zend-mail via Sendmail adapter

Created:

2017-02-08 07:01:24 UTC

Modified:

2017-08-08 13:46:00 UTC

1

Was this article helpful?


Have more questions?

Submit a request

CVE-2016-10034 Zend Framework: potential remote code execution in zend-mail via Sendmail adapter

Situation

Zend Framework issued a vulnerability alert on 2016-12-20: [CVE-2016-10034][ZF2016-04] Zend Framework: potential remote code execution in zend-mail via Sendmail adapter.

Impact

CVE-2016-10034 vulnerability affects Zend Framework 2: when the zend-mail component is used to send email via the Zend\Mail\Transport\Sendmail transport, a malicious user may be able to inject arbitrary parameters to the system sendmail program.

Call to Action

Zend Framework manufacturer already released corresponding patches resolving the vulnerability that are  available in:

  • zend-mail, starting in version 2.7.2
  • zend-mail, 2.4.11
  • Zend Framework, 2.4.11

Plesk is not affected as it uses Zend Framework 1 which has different code. If there are some client PHP versions installed on a server with Zend Framework 2 loaded, make sure it is updated to at least 2.4.11 version.

Have more questions? Submit a request
Please sign in to leave a comment.