GHSA-76w8-mqx4-wjrf: Doctrine DBAL SQL injection possibility

May 15, 2024

The identifier quoting in Doctrine DBAL has a potential security problem when user-input is passed into this function, making the security aspect of this functionality obsolete. If you make use of AbstractPlatform::quoteIdentifier() or Doctrine::quoteIdentifier() please upgrade immediately. The ORM itself does not use identifier quoting in combination with user-input, however we still urge everyone to update to the latest version of DBAL.

References

github.com/FriendsOfPHP/security-advisories/blob/master/doctrine/dbal/2011-09-25.yaml
github.com/advisories/GHSA-76w8-mqx4-wjrf
github.com/doctrine/dbal
web.archive.org/web/20130208100252/https://www.doctrine-project.org/blog/dbal-security-2011-1.html

Detect and mitigate GHSA-76w8-mqx4-wjrf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →