CVE-2021-43608: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
(updated )
Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing SQL injection to take place if application developers passed unescaped user input to the DBAL QueryBuilder or any other API that ultimately uses the AbstractPlatform::modifyLimitQuery API.
References
- github.com/advisories/GHSA-r7cj-8hjg-x622
- github.com/doctrine/dbal/commit/9dcfa4cb6c03250b78a84737ba7ceb82f4b7ba4d
- github.com/doctrine/dbal/releases
- github.com/doctrine/dbal/security/advisories/GHSA-r7cj-8hjg-x622
- nvd.nist.gov/vuln/detail/CVE-2021-43608
- www.doctrine-project.org/2021/11/11/dbal3-vulnerability-fixed.html
Code Behaviors & Features
Detect and mitigate CVE-2021-43608 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →