Fluid Attacks Database

Description

Doctrine DBAL SQL injection possibility The identifier quoting in Doctrine DBAL has a potential security problem when user-input is passed into this function, making the security aspect of this functionality obsolete. If you make use of AbstractPlatform::quoteIdentifier() or Doctrine::quoteIdentifier() please upgrade immediately. The ORM itself does not use identifier quoting in combination with user-input, however we still urge everyone to update to the latest version of DBAL.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	doctrine/dbal	>=2.0.0 <2.0.8 \|\| >=2.1.0 <2.1.2	2.0.8, 2.1.2

Aliases

1. GCVE-GHSA-76w8-mqx4-wjrf

References

1. https://github.com/FriendsOfPHP/security-advisories/blob/master/doctrine/dbal/2011-09-25.yaml2. https://web.archive.org/web/20130208100252/https://www.doctrine-project.org/blog/dbal-security-2011-1.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.