GMS-2023-71: CakePHP vulnerable to Denial of Service attack through XML payloads

January 20, 2023

RequestHandlerComponent had a vulnerability that would allow well crafted requests to create a denial of service attack. RequestHandlerComponent leverages Xml::build() which allows reading local files. We recommend that all applications using RequestHandlerComponent upgrade, or disable parsing XML payloads.

References

bakery.cakephp.org/2015/05/28/cakephp_2_6_6_and_3_0_6_released.html
github.com/FriendsOfPHP/security-advisories/blob/master/cakephp/cakephp/2015-05-28.yaml
github.com/advisories/GHSA-q79m-c546-2g63
github.com/cakephp/cakephp/commit/c186487151356a8d7c6e2cae05f87b9df0e59fbb

Code Behaviors & Features

Detect and mitigate GMS-2023-71 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →