zf-apigility contains a class,
ZF\Apigility\DbConnectedResource, used by all DB-Connected REST services for
prototyping web services that write to a database table, or for simple
CRUD-style web services.
This class was correctly pulling data from the composed input filter, if any,
create() operations. However, it was not doing so for
patch() operations, leading to the potential for unfiltered data to make its
way to the database.
Note, however, that this is not a SQL injection vulnerability, as database updates were still using the underlying database abstraction layer. However, in cases where values are expected to be normalized, unfiltered versions could enter the database; additionally, if any data not matching existing database columns were provided, database errors could occur.
Each of the
patch() operations in the
ZF\Apigility\DbConnectedResource class were updated to always pull data from
the composed input filter when present.
The following releases contain the fixes:
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org