Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yaHZoLWM1YzItdmo4Nc4AAdEL
Zend Framework SQL injection vector using null byte for PDO
The PDO adapters in Zend Framework before 1.12.16 do not filer null bytes in SQL statements, which allows remote attackers to execute arbitrary SQL commands via a crafted query.
Permalink: https://github.com/advisories/GHSA-2hvh-c5c2-vj85JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yaHZoLWM1YzItdmo4Nc4AAdEL
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 15 days ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-2hvh-c5c2-vj85, CVE-2015-7695
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-7695
- http://framework.zend.com/security/advisory/ZF2015-08
- http://www.debian.org/security/2015/dsa-3369
- http://www.openwall.com/lists/oss-security/2015/09/30/6
- http://www.openwall.com/lists/oss-security/2015/09/30/8
- http://www.openwall.com/lists/oss-security/2015/10/11/3
- http://www.securityfocus.com/bid/76784
- https://github.com/advisories/GHSA-2hvh-c5c2-vj85
Affected Packages
packagist:zendframework/zendframework1
Dependent packages: 151Dependent repositories: 841
Downloads: 6,478,672 total
Affected Version Ranges: < 1.12.16
Fixed in: 1.12.16
All affected versions: 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.12.10, 1.12.11, 1.12.12, 1.12.13, 1.12.14, 1.12.15
All unaffected versions: 1.12.16, 1.12.17, 1.12.18, 1.12.19, 1.12.20