GHSA-ph98-v78f-jqrm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-ph98-v78f-jqrm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-ph98-v78f-jqrm/GHSA-ph98-v78f-jqrm.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-ph98-v78f-jqrm
- Aliases
- Related
- Published
- 2021-12-14T21:08:13Z
- Modified
- 2023-11-01T04:56:45.819466Z
- Severity
-
- 8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- SQL injection in jackalope/jackalope-doctrine-dbal
- Details
-
Impact
Users can provoke SQL injections if they can specify a node name or query.
Patches
Upgrade to version 1.7.4
If that is not possible, you can escape all places where
$propertyis used to filtersv:namein the classJackalope\Transport\DoctrineDBAL\Query\QOMWalker:XPath::escape($property).Workarounds
Node names and xpaths can contain
"or;according to the JCR specification. The jackalope component that translates the query object model into doctrine dbal queries does not properly escape the names and paths, so that a accordingly crafted node name can lead to an SQL injection.If queries are never done from user input, or if you validate the user input to not contain
;, you are not affected.References
No further references.
For more information
If you have any questions or comments about this advisory:
- Open an issue in jackalope/jackalope-doctrine-dbal repo
- Database specific
{ "cwe_ids": [ "CWE-89" ], "nvd_published_at": "2021-12-13T20:15:00Z", "github_reviewed_at": "2021-12-14T15:25:41Z", "severity": "HIGH", "github_reviewed": true }- References
Affected packages
Packagist / jackalope/jackalope-doctrine-dbal
Package
- Name
- jackalope/jackalope-doctrine-dbal
- Purl
- pkg:composer/jackalope/jackalope-doctrine-dbal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.7.4