CVE-2021-43608 – doctrine/dbal

Package

Manager: composer
Name: doctrine/dbal
Vulnerable Version: >=3.0.0 <3.1.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02216 pctl0.83856

Details

DBAL 3 SQL Injection Security Vulnerability We have released a new version Doctrine DBAL 3.1.4 that fixes a critical SQL injection vulnerability in the LIMIT clause generation API provided by the Platform abstraction. We advise everyone using Doctrine DBAL 3.0.0 up to 3.1.3 to upgrade to 3.1.4 immediately. The vulnerability can happen when unsanitized input is passed to many APIs in Doctrine DBAL and ORM that ultimately end up calling `AbstractPlatform::modifyLimitQuery`. As a workaround you can cast all limit and offset parameters to integers before passing them to Doctrine APIs. This vulnerability has been assigned [CVE-2021-43608](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43608).

Metadata

Created: 2021-11-16T17:25:57Z
Modified: 2021-12-16T14:11:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-r7cj-8hjg-x622/GHSA-r7cj-8hjg-x622.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-r7cj-8hjg-x622
Finding: F297
Auto approve: 1