GHSA-v42g-7q2x-cw32

Suggest an improvement
Source
https://github.com/advisories/GHSA-v42g-7q2x-cw32
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-v42g-7q2x-cw32/GHSA-v42g-7q2x-cw32.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v42g-7q2x-cw32
Published
2024-06-07T22:25:43Z
Modified
2024-06-07T22:31:13.590148Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Zendframework1 potential SQL injection vector using null byte for PDO (MsSql, SQLite)
Details

The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.

We tested and verified the null byte injection using pdodblib (FreeTDS) on a Linux environment to access a remote Microsoft SQL Server, and also tested against and noted the vector against pdosqlite.

References

Affected packages

Packagist / zendframework/zendframework1

Package

Name
zendframework/zendframework1
Purl
pkg:composer/zendframework/zendframework1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.12.0
Fixed
1.12.16

Affected versions

1.*

1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.12.6
1.12.7
1.12.8
1.12.9
1.12.10
1.12.11
1.12.12
1.12.13
1.12.14
1.12.15