GHSA-r7cj-8hjg-x622
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r7cj-8hjg-x622
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-r7cj-8hjg-x622/GHSA-r7cj-8hjg-x622.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r7cj-8hjg-x622
- Aliases
- Published
- 2021-11-16T17:25:57Z
- Modified
- 2024-02-16T08:09:57.480655Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- DBAL 3 SQL Injection Security Vulnerability
- Details
-
We have released a new version Doctrine DBAL 3.1.4 that fixes a critical SQL injection vulnerability in the LIMIT clause generation API provided by the Platform abstraction.
We advise everyone using Doctrine DBAL 3.0.0 up to 3.1.3 to upgrade to 3.1.4 immediately.
The vulnerability can happen when unsanitized input is passed to many APIs in Doctrine DBAL and ORM that ultimately end up calling
AbstractPlatform::modifyLimitQuery.As a workaround you can cast all limit and offset parameters to integers before passing them to Doctrine APIs.
This vulnerability has been assigned CVE-2021-43608.
- Database specific
{ "nvd_published_at": "2021-12-09T20:15:00Z", "cwe_ids": [ "CWE-89" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2021-11-15T22:34:32Z" }- References
-
- https://github.com/doctrine/dbal/security/advisories/GHSA-r7cj-8hjg-x622
- https://nvd.nist.gov/vuln/detail/CVE-2021-43608
- https://github.com/doctrine/dbal/commit/9dcfa4cb6c03250b78a84737ba7ceb82f4b7ba4d
- https://github.com/FriendsOfPHP/security-advisories/blob/master/doctrine/dbal/CVE-2021-43608.yaml
- https://github.com/doctrine/dbal
- https://github.com/doctrine/dbal/releases
- https://www.doctrine-project.org/2021/11/11/dbal3-vulnerability-fixed.html
Affected packages
Packagist / doctrine/dbal
Package
- Name
- doctrine/dbal
- Purl
- pkg:composer/doctrine/dbal