CVE-2021-43822 - Vulnerability Details

Vendors	Products
Jackalope Doctrine-dbal Project	Jackalope Doctrine-dbal

Link	Providers
https://github.com/jackalope/jackalope-doctrine-dbal/commit/9d179a36d320330ddb303ea3a7c98d3a33d231db
https://github.com/jackalope/jackalope-doctrine-dbal/security/advisories/GHSA-ph98-v78f-jqrm

{"containers": {"cna": {"affected": [{"product": "jackalope-doctrine-dbal", "vendor": "jackalope", "versions": [{"status": "affected", "version": "< 1.7.4"}]}], "descriptions": [{"lang": "en", "value": "Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API (PHPCR) using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to version 1.7.4 to resolve this issue. If that is not possible, you can escape all places where `$property` is used to filter `sv:name` in the class `Jackalope\\Transport\\DoctrineDBAL\\Query\\QOMWalker`: `XPath::escape($property)`. Node names and xpaths can contain `\"` or `;` according to the JCR specification. The jackalope component that translates the query object model into doctrine dbal queries does not properly escape the names and paths, so that a accordingly crafted node name can lead to an SQL injection. If queries are never done from user input, or if you validate the user input to not contain `;`, you are not affected."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-13T19:50:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jackalope/jackalope-doctrine-dbal/security/advisories/GHSA-ph98-v78f-jqrm"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jackalope/jackalope-doctrine-dbal/commit/9d179a36d320330ddb303ea3a7c98d3a33d231db"}], "source": {"advisory": "GHSA-ph98-v78f-jqrm", "discovery": "UNKNOWN"}, "title": "SQL injection in jackalope/jackalope-doctrine-dbal", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-43822", "STATE": "PUBLIC", "TITLE": "SQL injection in jackalope/jackalope-doctrine-dbal"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "jackalope-doctrine-dbal", "version": {"version_data": [{"version_value": "< 1.7.4"}]}}]}, "vendor_name": "jackalope"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API (PHPCR) using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to version 1.7.4 to resolve this issue. If that is not possible, you can escape all places where `$property` is used to filter `sv:name` in the class `Jackalope\\Transport\\DoctrineDBAL\\Query\\QOMWalker`: `XPath::escape($property)`. Node names and xpaths can contain `\"` or `;` according to the JCR specification. The jackalope component that translates the query object model into doctrine dbal queries does not properly escape the names and paths, so that a accordingly crafted node name can lead to an SQL injection. If queries are never done from user input, or if you validate the user input to not contain `;`, you are not affected."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/jackalope/jackalope-doctrine-dbal/security/advisories/GHSA-ph98-v78f-jqrm", "refsource": "CONFIRM", "url": "https://github.com/jackalope/jackalope-doctrine-dbal/security/advisories/GHSA-ph98-v78f-jqrm"}, {"name": "https://github.com/jackalope/jackalope-doctrine-dbal/commit/9d179a36d320330ddb303ea3a7c98d3a33d231db", "refsource": "MISC", "url": "https://github.com/jackalope/jackalope-doctrine-dbal/commit/9d179a36d320330ddb303ea3a7c98d3a33d231db"}]}, "source": {"advisory": "GHSA-ph98-v78f-jqrm", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:03:08.861Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jackalope/jackalope-doctrine-dbal/security/advisories/GHSA-ph98-v78f-jqrm"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jackalope/jackalope-doctrine-dbal/commit/9d179a36d320330ddb303ea3a7c98d3a33d231db"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-43822", "datePublished": "2021-12-13T19:50:11", "dateReserved": "2021-11-16T00:00:00", "dateUpdated": "2024-08-04T04:03:08.861Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jackalope_doctrine-dbal_project:jackalope_doctrine-dbal:*:*:*:*:*:*:*:*", "matchCriteriaId": "8BDEE924-F711-42C6-91CC-DE195A153967", "versionEndExcluding": "1.7.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API (PHPCR) using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to version 1.7.4 to resolve this issue. If that is not possible, you can escape all places where `$property` is used to filter `sv:name` in the class `Jackalope\\Transport\\DoctrineDBAL\\Query\\QOMWalker`: `XPath::escape($property)`. Node names and xpaths can contain `\"` or `;` according to the JCR specification. The jackalope component that translates the query object model into doctrine dbal queries does not properly escape the names and paths, so that a accordingly crafted node name can lead to an SQL injection. If queries are never done from user input, or if you validate the user input to not contain `;`, you are not affected."}, {"lang": "es", "value": "Jackalope Doctrine-DBAL es una implementaci\u00f3n de la API de Repositorio de Contenido PHP (PHPCR) que usa una base de datos relacional para persistir los datos. En las versiones afectadas los usuarios pueden provocar inyecciones SQL si pueden especificar un nombre de nodo o una consulta. Actualice a versi\u00f3n 1.7.4 para resolver este problema. Si no es posible, puede escapar de todos los lugares donde es usado \"$property\" para filtrar \"sv:name\" en la clase \"Jackalope\\Transport\\DoctrineDBAL\\Query\\QOMWalker\": \"XPath::escape($property)\". Los nombres de nodo y los xpaths pueden contener \"\"\" o \";\" seg\u00fan la especificaci\u00f3n JCR. El componente jackalope que traduce el modelo de objetos de consulta en consultas dbal de la doctrina no escapa adecuadamente los nombres y rutas, por lo que un nombre de nodo convenientemente elaborado puede llevar a una inyecci\u00f3n SQL. Si las consultas nunca son realizadas a partir de la entrada del usuario, o si es comprobada la entrada del usuario para que no contenga \";\", no est\u00e1 afectado"}], "id": "CVE-2021-43822", "lastModified": "2024-11-21T06:29:52.117", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-13T20:15:07.757", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jackalope/jackalope-doctrine-dbal/commit/9d179a36d320330ddb303ea3a7c98d3a33d231db"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/jackalope/jackalope-doctrine-dbal/security/advisories/GHSA-ph98-v78f-jqrm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jackalope/jackalope-doctrine-dbal/commit/9d179a36d320330ddb303ea3a7c98d3a33d231db"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/jackalope/jackalope-doctrine-dbal/security/advisories/GHSA-ph98-v78f-jqrm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object