CVE-2015-7695: SQL injection vector using null byte for PDO

June 7, 2016 (updated November 28, 2016)

The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection. This only impacts MsSql and SQLite adapters.

References

framework.zend.com/security/advisory/ZF2015-08

Detect and mitigate CVE-2015-7695 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →