FIX vulnerability CVE-2021-43608 #1392
Conversation
Doctrine DBAL 3.x before 3.1.4 allows SQL Injection: https://www.cve.org/CVERecord?id=CVE-2021-43608
|
👎🏼 AFAIK, we're not using any of this. I know by bumping this, we force the users of this library to a higher version and improve overall security. But this is an optional library, as good as bad as anyones else library and I believe the decision should be upon this who manage their application (anyone could just add that version constraint and be as safe as they want). I therefore think we should not enforce this, we're just another library and the pool, no code in this library (AFAIK) is affected by this. WDYT? |
|
bumping 3.0.0 to a more specific starting versions should not affect the stability true, its a -dev only plugin, but all teh code scanners still cry 😄 |
|
According to #1513 the 3.1 is actually the minimum, so it couldn't really hurt to just skip to 3.1.4 either.. |
Doctrine DBAL 3.x before 3.1.4 allows SQL Injection: https://www.cve.org/CVERecord?id=CVE-2021-43608 Co-authored-by: Barry vd. Heuvel <barry@fruitcake.nl>
Doctrine DBAL 3.x before 3.1.4 allows SQL Injection: https://www.cve.org/CVERecord?id=CVE-2021-43608
Summary
Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing SQL injection to take place if application developers passed unescaped user input to the DBAL QueryBuilder or any other API that ultimately uses the AbstractPlatform::modifyLimitQuery API.
Type of change
Checklist
composer fix-style