Published:2015/12/11  Last Updated:2015/12/11

JVN#71730320
Zend Framework vulnerable to SQL injection

Overview

Zend Framework contains an SQL injection vulnerability.

Products Affected

  • Zend Framework 1.12.7 and earlier

Description

Zend Framework is an open source web application framework. Zend Framework contains an SQL injection vulnerability (CWE-89) due to the argument of the ORDER BY clause.

Impact

An attacker who can access the product may execute SQL commands.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.
This vulnerability has been addressed on 26 August, 2014.

References

JPCERT/CC Addendum

This JVN publication was delayed to 2015/12/11 after the developer fix was developed. From the fiscal year 2011, JPCERT/CC is using a new vendor coordination procedure. This new procedure came from the recommendation of the fiscal year 2010 "Study Group on Information System Vulnerability Handling" aimed at more timely JVN publications.

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score: 5.6
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score: 6.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Hiroshi Tokumaru of HASH Consulting Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2014-4914
JVN iPedia JVNDB-2015-000197