GHSA-X2F4-8WXF-W3VF
Vulnerability from github – Published: 2024-06-07 20:35 – Updated: 2024-06-07 20:35The Zend\Db component in Zend Framework 2 provides platform abstraction, which is used in particular for SQL abstraction. Two methods defined in the platform interface, quoteValue() and quoteValueList(), allow users to manually quote values for creating SQL statements; these are in turn consumed by aspects of the SQL abstraction platform, including Zend\Db\Sql\Sql::getSqlStringForSqlObject(), and the getSqlString() method provided in a number of classes in the Zend\Db\Sql namespace.
While these methods are primarily intended for debugging and logging purposes, developers can use them to produce SQL that is then passed to the driver to execute. Due to a flaw in how the quoteValue() and quoteValueList() methods were written, this can lead to potential SQL injection.
The offending code is located in any of the Zend\Db\Adapter\Platform* objects, particularly the quoteValue() and quoteValueList() methods. These methods did not take into account most of the possible escapable characters that would need to be escaped when attempting to create a quoted value for interpolation into a SQL string. Moreover, these methods did value quoting without extension level coordination which, when available, takes character-sets into account when quoting.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-07T20:35:15Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The `Zend\\Db` component in Zend Framework 2 provides platform abstraction, which is used in particular for SQL abstraction. Two methods defined in the platform interface, `quoteValue()` and `quoteValueList()`, allow users to manually quote values for creating SQL statements; these are in turn consumed by aspects of the SQL abstraction platform, including `Zend\\Db\\Sql\\Sql::getSqlStringForSqlObject()`, and the `getSqlString()` method provided in a number of classes in the Zend\\Db\\Sql namespace.\n\nWhile these methods are primarily intended for debugging and logging purposes, developers can use them to produce SQL that is then passed to the driver to execute. Due to a flaw in how the `quoteValue()` and `quoteValueList()` methods were written, this can lead to potential SQL injection.\n\nThe offending code is located in any of the `Zend\\Db\\Adapter\\Platform*` objects, particularly the quoteValue() and `quoteValueList()` methods. These methods did not take into account most of the possible escapable characters that would need to be escaped when attempting to create a quoted value for interpolation into a SQL string. Moreover, these methods did value quoting without extension level coordination which, when available, takes character-sets into account when quoting.",
"id": "GHSA-x2f4-8wxf-w3vf",
"modified": "2024-06-07T20:35:15Z",
"published": "2024-06-07T20:35:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/0ef63e7db5fa30a79a58eb7c6466c6ab5c0618c5"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/546074660e6e10b9191bf0dc62b524d99f71a5cd"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/6d83777786b8e6171d82191ef917afd09fcb6601"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/870741d0c01a24ff23f9e209c8d393bd3a4115e3"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/95c88c236e80b475141d227bdf7866ca40287dd1"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/d1f259b9d6dbd7c3828360afcfdd3658f2163ea0"
},
{
"type": "WEB",
"url": "https://framework.zend.com/security/advisory/ZF2013-03"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2013-03.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/zendframework/zendframework"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ZendFramework SQL injection due to execution of platform-specific SQL containing interpolations"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.