Security

Security Advisory: ZF2015-02

ZF2015-02: Potential SQL injection in PostgreSQL Zend\Db adapter

Zend\Db's PostgreSQL adapter was incorrectly escaping quotes used for identifiers and values, which could lead to potential SQL injection vectors.

Action Taken

A patch was written that provides the correct PostgreSQL escaping sequence for quotes used for identifiers and values, and tests were added to ensure correctness going forward.

The patch fixing the issue has been applied in the following versions:

  • Zend Framework 2.2.10
  • Zend Framework 2.3.5

This vulnerability has also been disclosed as CVE-2015-0270.

Recommendations

If you are using the Zend\Db PostgreSQL adapter, we recommend upgrading immediately.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

Released 2015-02-18

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

About
Overview
FAQ
License
Long Term Support
Changelog
Security
Issues

Install
Get started
MVC skeleton app
Expressive skeleton app
Archives
Statistics

Documentation
Overview
Training and Certification
Support and Consulting
Webinars
Blog
Zend Framework 2 - API
Zend Framework 1 - API

Participate
Overview
Slack
Forums
Newsletter
Contributor guide
Code Manifesto
Contributors
Logos
Status
Get certified

Copyright

© 2006-2017 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts