CVE-2014-8089

NameCVE-2014-8089
DescriptionSQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-251-1, DSA-3265-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zendframework (PTS)jessie, jessie (lts)1.12.9+dfsg-2+deb8u7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zendframeworksourcesqueeze1.10.6-1squeeze3DLA-251-1
zendframeworksourcewheezy1.11.13-1.1+deb7u1DSA-3265-1
zendframeworksource(unstable)1.12.9+dfsg-1

Notes

http://framework.zend.com/security/advisory/ZF2014-06

Search for package or bug name: Reporting problems