ZendFramework potential SQL Injection Vector When Using PDO_MySql

2024-06-0721:13:11

CWE-89

GitHub Advisory Database

github.com

zendframework

sql injection

pdo_mysql

php issue

charset

dsn

quoting mechanisms

vulnerable software

AI Score

7.8

Confidence

Low

JSON

Developers using non-ASCII-compatible encodings in conjunction with the MySQL PDO driver of PHP may be vulnerable to SQL injection attacks. Developers using ASCII-compatible encodings like UTF8 or latin1 are not affected by this PHP issue, which is described in more detail here:

http://bugs.php.net/bug.php?id=47802
The PHP Group included a feature in PHP 5.3.6+ that allows any character set information to be passed as part of the DSN in PDO to allow both the database as well as the C-level driver to be aware of which charset is in use which is of special importance when PDO’s quoting mechanisms are utilized, which Zend Framework also relies on.

Affected configurations

Vulners

Node

zendframeworkzendframework1Range1.11.0–1.11.6

zendframeworkzendframework1Range1.10.0–1.10.9

VendorProductVersionCPE
zendframeworkzendframework1*cpe:2.3:a:zendframework:zendframework1:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
zendframework	zendframework1	*	cpe:2.3:a:zendframework:zendframework1::::::::

References

bugs.php.net/bug.php?id=47802

framework.zend.com/security/advisory/ZF2011-02

github.com/advisories/GHSA-qf36-fx9f-232x

github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2011-02.yaml

AI Score

7.8

Confidence

Low

JSON