CVE-2016-4861 — CRITICAL (9.8)

Q: How severe is CVE-2016-4861?

CVE-2016-4861 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2016-4861?

Check the references section above for vendor advisories and patch information. Affected products include: Fedoraproject Fedora, Zend Zend Framework.

Vulnerability Description

The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Fedoraproject	Fedora	23
Zend	Zend Framework	<= 1.12.19

Related Weaknesses (CWE)

CWE-89

References

http://jvn.jp/en/jp/JVN18926672/index.htmlThird Party AdvisoryVDB Entry
http://jvndb.jvn.jp/jvndb/JVNDB-2016-000158Third Party AdvisoryVDB Entry
https://framework.zend.com/security/advisory/ZF2016-03ExploitTechnical DescriptionVendor Advisory
https://lists.debian.org/debian-lts-announce/2018/06/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/201804-10
http://jvn.jp/en/jp/JVN18926672/index.htmlThird Party AdvisoryVDB Entry
http://jvndb.jvn.jp/jvndb/JVNDB-2016-000158Third Party AdvisoryVDB Entry
https://framework.zend.com/security/advisory/ZF2016-03ExploitTechnical DescriptionVendor Advisory
https://lists.debian.org/debian-lts-announce/2018/06/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2016-4861?

CVE-2016-4861 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from a...

How severe is CVE-2016-4861?

CVE-2016-4861 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2016-4861?

Check the references section above for vendor advisories and patch information. Affected products include: Fedoraproject Fedora, Zend Zend Framework.