Vulnerability Description
SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zend | Zend Framework | < 1.12.9 |
| Redhat | Enterprise Linux | 6.0 |
| Fedoraproject | Fedora | 19 |
Related Weaknesses (CWE)
References
- http://framework.zend.com/security/advisory/ZF2014-06ExploitVendor Advisory
- http://seclists.org/oss-sec/2014/q4/276Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/70011Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=1151277Issue TrackingThird Party Advisory
- http://framework.zend.com/security/advisory/ZF2014-06ExploitVendor Advisory
- http://seclists.org/oss-sec/2014/q4/276Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/70011Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=1151277Issue TrackingThird Party Advisory
FAQ
What is CVE-2014-8089?
CVE-2014-8089 is a vulnerability with a CVSS score of 9.8 (CRITICAL). SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands ...
How severe is CVE-2014-8089?
CVE-2014-8089 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2014-8089?
Check the references section above for vendor advisories and patch information. Affected products include: Zend Zend Framework, Redhat Enterprise Linux, Fedoraproject Fedora.