Описание
silverstripe/framework may disclose database credentials during connection failure
When running SilverStripe 3.7 or 4.x in dev mode with the mysqli database driver, there is a potential to disclose the connection details.
We have blacklisted the sensitive parts of the connection information from being included in dev mode stack traces when database errors occur.
Ссылки
- https://github.com/silverstripe/silverstripe-framework/commit/214e28127f5425b61c15b69f884afdbad31133c2
- https://github.com/silverstripe/silverstripe-framework/commit/54251952387394d72b221e797a80edfbf9a973ee
- https://github.com/silverstripe/silverstripe-framework/commit/9aabe0a0f7a061d87cc92923f8811e14d7a032f5
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2018-018-1.yaml
- https://www.silverstripe.org/download/security-releases/ss-2018-018
Пакеты
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 3.7.0-rc1, < 3.7.1
3.7.1
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 4.0.0-rc1, < 4.0.5
4.0.5
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 4.1.0-rc1, < 4.1.3
4.1.3
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 4.2.0-rc1, < 4.2.2
4.2.2
6.5 Medium
CVSS3
Дефекты
CWE-209
6.5 Medium
CVSS3
Дефекты
CWE-209