CVE-2014-8089 — SQL Injection in Framework

CWE-89 — SQL Injection6 documents5 sources

Severity

9.8CRITICALNVD

EPSS

1.1%

top 21.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zend Framework Zendframework Zend-db Zendframework +3 more

Timeline

PublishedFeb 17

Latest updateApr 23

Description

SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDzend/zend_framework2.2.0 — 2.2.8+2

▶Packagistzendframework/zend-db2.0.0 — 2.0.99+3

▶Packagistzendframework/zendframework2.0.0 — 2.0.99+3

▶Packagistzendframework/zendframework11.12.0 — 1.12.9

Also affects: Fedora 19, 20, 21, Enterprise Linux 6.0, 7.0

🔴Vulnerability Details

GHSA

Zend Framework SQL injection vulnerability↗2024-04-23

▶

OSV

Zend Framework SQL injection vulnerability↗2024-04-23

▶

CVEList

CVE-2014-8089: SQL injection vulnerability in Zend Framework before 1↗2020-02-17

▶

OSV

CVE-2014-8089: SQL injection vulnerability in Zend Framework before 1↗2020-02-17

▶

💬Community

Bugzilla

CVE-2014-8089 php-ZendFramework: SQL injection issue when using the sqlsrv PHP extension (ZF2014-06)↗2014-10-10

▶