Published:2016/09/15  Last Updated:2016/09/15

JVN#18926672
Zend Framework vulnerable to SQL injection

Overview

Zend Framework contains an SQL injection vulnerability.

Products Affected

  • Zend Framework versions prior to 1.12.20
According to the developer Zend Framework 2 and Zend Framework 3 are not affected by this vulnerability.

Description

Zend Framework is an open source web application framework. Zend Framework 1 contains an SQL injection vulnerability (CWE-89) due to a flaw in processing parameters in the ORDER BY and GROUP BY clauses.

Impact

Information stored in the database may be obtained or altered by a remote attacker.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.
According to the developer, this fix is an improvement for JVN#71730320.

Vendor Status

References

  1. Japan Vulnerability Notes - JVN#71730320
    Zend Framework vulnerable to SQL injection

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score: 6.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Hiroshi Tokumaru of HASH Consulting Corp. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2016-4861
JVN iPedia JVNDB-2016-000158