CVE-2014-8089 — Zend Framework SQL injection vulnerability

Description

SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.

How to fix CVE-2014-8089

To remediate CVE-2014-8089, upgrade the affected package to a fixed version below.

Packagist/zendframework/zend-db—upgrade to 2.0.99 or later
—upgrade to 2.0.99 or later
—upgrade to 1.12.9 or later

Is CVE-2014-8089 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 2.0.0, < 2.0.99
>= 2.0.0, < 2.0.99
>= 1.12.0, < 1.12.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-8089
WEBframework.zend.com/security/advisory/ZF2014-06
WEBbugzilla.redhat.com/show_bug.cgi?id=1151277
WEBseclists.org/oss-sec/2014/q4/276
WEB