Zend\Db
's PostgreSQL adapter was incorrectly
escaping quotes used for identifiers and values, which could lead to potential
SQL injection vectors.
A patch was written that provides the correct PostgreSQL escaping sequence for quotes used for identifiers and values, and tests were added to ensure correctness going forward.
The patch fixing the issue has been applied in the following versions:
This vulnerability has also been disclosed as CVE-2015-0270.
If you are using the Zend\Db PostgreSQL adapter, we recommend upgrading immediately.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Released 2015-02-18
Have you identified a security vulnerability?
Please report it to us at zf-security@zend.com