Vulnerability Description
The PDO adapters in Zend Framework before 1.12.16 do not filer null bytes in SQL statements, which allows remote attackers to execute arbitrary SQL commands via a crafted query.
CVSS Score
9.8
CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zend | Zend Framework | <= 1.12.15 |
| Debian | Debian Linux | 7.0 |
Related Weaknesses (CWE)
References
- http://framework.zend.com/security/advisory/ZF2015-08Vendor Advisory
- http://www.debian.org/security/2015/dsa-3369
- http://www.openwall.com/lists/oss-security/2015/09/30/6
- http://www.openwall.com/lists/oss-security/2015/09/30/8
- http://www.openwall.com/lists/oss-security/2015/10/11/3
- http://www.securityfocus.com/bid/76784
- http://framework.zend.com/security/advisory/ZF2015-08Vendor Advisory
- http://www.debian.org/security/2015/dsa-3369
- http://www.openwall.com/lists/oss-security/2015/09/30/6
- http://www.openwall.com/lists/oss-security/2015/09/30/8
- http://www.openwall.com/lists/oss-security/2015/10/11/3
- http://www.securityfocus.com/bid/76784
FAQ
What is CVE-2015-7695?
CVE-2015-7695 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The PDO adapters in Zend Framework before 1.12.16 do not filer null bytes in SQL statements, which allows remote attackers to execute arbitrary SQL commands via a crafted query.
How severe is CVE-2015-7695?
CVE-2015-7695 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2015-7695?
Check the references section above for vendor advisories and patch information. Affected products include: Zend Zend Framework, Debian Debian Linux.