CVE-2021-43608

Опубликовано: 09 дек. 2021

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing SQL injection to take place if application developers passed unescaped user input to the DBAL QueryBuilder or any other API that ultimately uses the AbstractPlatform::modifyLimitQuery API.

Ссылки

https://github.com/doctrine/dbal/commit/9dcfa4cb6c03250b78a84737ba7ceb82f4b7ba4d
Patch
Third Party Advisory
https://github.com/doctrine/dbal/releases
Release Notes
Third Party Advisory
https://github.com/doctrine/dbal/security/advisories/GHSA-r7cj-8hjg-x622
Third Party Advisory
https://www.doctrine-project.org/2021/11/11/dbal3-vulnerability-fixed.html
Vendor Advisory
https://github.com/doctrine/dbal/commit/9dcfa4cb6c03250b78a84737ba7ceb82f4b7ba4d
Patch
Third Party Advisory
https://github.com/doctrine/dbal/releases
Release Notes
Third Party Advisory
https://github.com/doctrine/dbal/security/advisories/GHSA-r7cj-8hjg-x622
Third Party Advisory
https://www.doctrine-project.org/2021/11/11/dbal3-vulnerability-fixed.html
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:doctrine-project:database_abstraction_layer:*:*:*:*:*:*:*:*

Версия от 3.0.0 (включая) до 3.1.4 (исключая)

EPSS

Процентиль: 80%

0.01352

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-89

Связанные уязвимости

CVE-2021-43608

CVSS3: 9.8

ubuntu

около 4 лет назад

CVE-2021-43608

CVSS3: 9.8

debian

около 4 лет назад

Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of o ...

GHSA-r7cj-8hjg-x622

CVSS3: 9.8

github

около 4 лет назад

DBAL 3 SQL Injection Security Vulnerability

EPSS

Процентиль: 80%

0.01352

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-89