Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yN2NqLThoamcteDYyMs0XOw
DBAL 3 SQL Injection Security Vulnerability
We have released a new version Doctrine DBAL 3.1.4 that fixes a critical SQL injection vulnerability in the LIMIT clause generation API provided by the Platform abstraction.
We advise everyone using Doctrine DBAL 3.0.0 up to 3.1.3 to upgrade to 3.1.4 immediately.
The vulnerability can happen when unsanitized input is passed to many APIs in Doctrine DBAL and ORM that ultimately end up calling AbstractPlatform::modifyLimitQuery.
As a workaround you can cast all limit and offset parameters to integers before passing them to Doctrine APIs.
This vulnerability has been assigned CVE-2021-43608.
Permalink: https://github.com/advisories/GHSA-r7cj-8hjg-x622JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yN2NqLThoamcteDYyMs0XOw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: 3 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-r7cj-8hjg-x622, CVE-2021-43608
References:
- https://github.com/doctrine/dbal/security/advisories/GHSA-r7cj-8hjg-x622
- https://nvd.nist.gov/vuln/detail/CVE-2021-43608
- https://github.com/doctrine/dbal/commit/9dcfa4cb6c03250b78a84737ba7ceb82f4b7ba4d
- https://github.com/doctrine/dbal/releases
- https://www.doctrine-project.org/2021/11/11/dbal3-vulnerability-fixed.html
- https://github.com/FriendsOfPHP/security-advisories/blob/master/doctrine/dbal/CVE-2021-43608.yaml
- https://github.com/advisories/GHSA-r7cj-8hjg-x622
Blast Radius: 50.4
Affected Packages
packagist:doctrine/dbal
Dependent packages: 4,810Dependent repositories: 138,820
Downloads: 398,730,323 total
Affected Version Ranges: >= 3.0.0, < 3.1.4
Fixed in: 3.1.4
All affected versions: 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3
All unaffected versions: 2.1.5, 2.1.6, 2.1.7, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10, 2.5.11, 2.5.12, 2.5.13, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.8.1, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.13.6, 2.13.7, 2.13.8, 2.13.9, 3.1.4, 3.1.5, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 4.0.0, 4.0.1, 4.0.2