Описание
DBAL 3 SQL Injection Security Vulnerability
We have released a new version Doctrine DBAL 3.1.4 that fixes a critical SQL injection vulnerability in the LIMIT clause generation API provided by the Platform abstraction.
We advise everyone using Doctrine DBAL 3.0.0 up to 3.1.3 to upgrade to 3.1.4 immediately.
The vulnerability can happen when unsanitized input is passed to many APIs in Doctrine DBAL and ORM that ultimately end up calling AbstractPlatform::modifyLimitQuery.
As a workaround you can cast all limit and offset parameters to integers before passing them to Doctrine APIs.
This vulnerability has been assigned CVE-2021-43608.
Ссылки
- https://github.com/doctrine/dbal/security/advisories/GHSA-r7cj-8hjg-x622
- https://nvd.nist.gov/vuln/detail/CVE-2021-43608
- https://github.com/doctrine/dbal/commit/9dcfa4cb6c03250b78a84737ba7ceb82f4b7ba4d
- https://github.com/FriendsOfPHP/security-advisories/blob/master/doctrine/dbal/CVE-2021-43608.yaml
- https://github.com/doctrine/dbal
- https://github.com/doctrine/dbal/releases
- https://www.doctrine-project.org/2021/11/11/dbal3-vulnerability-fixed.html
Пакеты
doctrine/dbal
>= 3.0.0, < 3.1.4
3.1.4
Связанные уязвимости
Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing SQL injection to take place if application developers passed unescaped user input to the DBAL QueryBuilder or any other API that ultimately uses the AbstractPlatform::modifyLimitQuery API.
Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing SQL injection to take place if application developers passed unescaped user input to the DBAL QueryBuilder or any other API that ultimately uses the AbstractPlatform::modifyLimitQuery API.
Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of o ...