{"api_version":"1","generated_at":"2026-04-23T16:53:42+00:00","cve":"CVE-2015-3154","urls":{"html":"https://cve.report/CVE-2015-3154","api":"https://cve.report/api/cve/CVE-2015-3154.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2015-3154","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2015-3154"},"summary":{"title":"CVE-2015-3154","description":"CRLF injection vulnerability in Zend\\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2020-01-27 16:15:00","updated_at":"2020-01-30 18:51:00"},"problem_types":["CWE-74"],"metrics":[],"references":[{"url":"http://framework.zend.com/security/advisory/ZF2015-04","name":"http://framework.zend.com/security/advisory/ZF2015-04","refsource":"CONFIRM","tags":["Exploit","Vendor Advisory"],"title":"ZF2015-04: Potential CRLF injection attacks in mail and HTTP headers - Advisories - Security - Zend Framework","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2015-3154","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-3154","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2015","cve_id":"3154","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zend","cpe5":"zend_framework","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2015","cve_id":"3154","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zend","cpe5":"zend_framework","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"secalert@redhat.com","ID":"CVE-2015-3154","STATE":"PUBLIC"},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"CRLF injection vulnerability in Zend\\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CRLF Injection"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Zend Technologies","product":{"product_data":[{"product_name":"Zend Framework","version":{"version_data":[{"version_value":"before 1.12.12"},{"version_value":"2.x before 2.3.8"},{"version_value":"2.4.x before 2.4.1"}]}}]}}]}},"references":{"reference_data":[{"refsource":"CONFIRM","name":"http://framework.zend.com/security/advisory/ZF2015-04","url":"http://framework.zend.com/security/advisory/ZF2015-04"}]}},"nvd":{"publishedDate":"2020-01-27 16:15:00","lastModifiedDate":"2020-01-30 18:51:00","problem_types":["CWE-74"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*","versionStartIncluding":"2.4.0","versionEndExcluding":"2.4.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*","versionStartIncluding":"2.3.0","versionEndExcluding":"2.3.8","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*","versionEndExcluding":"1.12.12","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2015","CveId":"3154","Ordinal":"80107","Title":"CVE-2015-3154","CVE":"CVE-2015-3154","Year":"2015"},"notes":[{"CveYear":"2015","CveId":"3154","Ordinal":"1","NoteData":"CRLF injection vulnerability in Zend\\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.","Type":"Description","Title":null},{"CveYear":"2015","CveId":"3154","Ordinal":"2","NoteData":"2020-01-27","Type":"Other","Title":"Published"},{"CveYear":"2015","CveId":"3154","Ordinal":"3","NoteData":"2020-01-27","Type":"Other","Title":"Modified"}]}}}