JVN#71730320
Zend Framework vulnerable to SQL injection
Overview
Zend Framework contains an SQL injection vulnerability.
Products Affected
- Zend Framework 1.12.7 and earlier
Description
Zend Framework is an open source web application framework. Zend Framework contains an SQL injection vulnerability (CWE-89) due to the argument of the ORDER BY clause.
Impact
An attacker who can access the product may execute SQL commands.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
This vulnerability has been addressed on 26 August, 2014.
Vendor Status
| Vendor | Link |
| Zend Technologies Ltd. | ZF2014-04: Potential SQL injection in the ORDER implementation of Zend_Db_Select |
| Pull Request #418: Improved regex for SQL group, order, from |
References
JPCERT/CC Addendum
This JVN publication was delayed to 2015/12/11 after the developer fix was developed. From the fiscal year 2011, JPCERT/CC is using a new vendor coordination procedure. This new procedure came from the recommendation of the fiscal year 2010 "Study Group on Information System Vulnerability Handling" aimed at more timely JVN publications.
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Hiroshi Tokumaru of HASH Consulting Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2014-4914 |
| JVN iPedia |
JVNDB-2015-000197 |