UBUNTU-CVE-2023-22727

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2023-22727

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-22727.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2023-22727

Related

CVE-2023-22727

Published

2023-01-17T21:15:00Z

Modified

2023-01-17T21:15:00Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

CakePHP is a development framework for PHP web apps. In affected versions the Cake\Database\Query::limit() and Cake\Database\Query::offset() methods are vulnerable to SQL injection if passed un-sanitized user request data. This issue has been fixed in 4.2.12, 4.3.11, 4.4.10. Users are advised to upgrade. Users unable to upgrade may mitigate this issue by using CakePHP's Pagination library. Manually validating or casting parameters to these methods will also mitigate the issue.

References

Affected packages

Ubuntu:Pro:16.04:LTS / cakephp

Package

Name: cakephp
Purl: pkg:deb/ubuntu/cakephp?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.7.2-1

2.8.0-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / cakephp

Package

Name: cakephp
Purl: pkg:deb/ubuntu/cakephp?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.10.11-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / cakephp

Package

Name: cakephp
Purl: pkg:deb/ubuntu/cakephp?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.10.11-2.1

2.10.24-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}