CVE-2014-8089 – zendframework/zend-db

Package

Manager: composer
Name: zendframework/zend-db
Vulnerable Version: >=2.0.0 <2.0.99 || >=2.1.0 <2.1.99 || >=2.2.0 <2.2.8 || >=2.3.0 <2.3.3

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01115 pctl0.77351

Details

Zend Framework SQL injection vulnerability SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.

Metadata

Created: 2024-04-23T22:39:03Z
Modified: 2024-04-23T22:39:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-qh9w-r7g5-q939/GHSA-qh9w-r7g5-q939.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-qh9w-r7g5-q939
Finding: F297
Auto approve: 1