UBUNTU-CVE-2021-43608

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2021-43608

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-43608.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2021-43608

Related

CVE-2021-43608

Published

2021-12-09T20:15:00Z

Modified

2024-10-15T14:08:28Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing SQL injection to take place if application developers passed unescaped user input to the DBAL QueryBuilder or any other API that ultimately uses the AbstractPlatform::modifyLimitQuery API.

References

Affected packages

Ubuntu:Pro:16.04:LTS / php-doctrine-dbal

Package

Name: php-doctrine-dbal
Purl: pkg:deb/ubuntu/php-doctrine-dbal?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.4.4-2

2.4.5-1

2.4.5-1ubuntu1

2.4.5-2

2.4.5-2build1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}