MidnightBSD

Advisories for doctrine-project

CVE-2011-1522 HIGH

Multiple SQL injection vulnerabilities in the Doctrine\DBAL\Platforms\AbstractPlatform::modifyLimitQuery function in Doctrine 1.x before 1.2.4 and 2.x before 2.0.3 allow remote attackers to execute arbitrary SQL commands via the (1) limit or (2) offset field.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
doctrine-project doctrine 2.0.1
doctrine-project doctrine 2.0.2
doctrine-project doctrine1.2.1 *
doctrine-project doctrine1.2.2 *
doctrine-project doctrine1.2.3 *
doctrine-project doctrine1.2.0 *
doctrine-project doctrine 2.0.0
CVE-2015-5723 HIGH

Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
zend zend-cache 2.5.1
doctrine-project object_relational_mapper *
doctrine-project object_relational_mapper 2.5.0
debian debian_linux 7.0
doctrine-project cache 1.4.0
doctrine-project cache 1.4.1
zend zend-cache 2.5.2
doctrine-project doctrinemongodbbundle 3.0.0
zend zend-cache *
debian debian_linux 8.0
doctrine-project mongodb-odm *
doctrine-project cache *
doctrine-project common 2.5.0
zend zend-cache 2.5.0
zend zend_framework *
zend zf-apigility-doctrine *
doctrine-project common *
doctrine-project annotations *
CVE-2021-43608 HIGH

Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing SQL injection to take place if application developers passed unescaped user input to the DBAL QueryBuilder or any other API that ultimately uses the AbstractPlatform::modifyLimitQuery API.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
doctrine-project database_abstraction_layer *