CVE-2019-8979

NameCVE-2019-8979
DescriptionKohana through 3.3.6 has SQL Injection when the order_by() parameter can be controlled.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libkohana2-php (PTS)jessie, jessie (lts)2.3.4-2+deb8u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libkohana2-phpsourcewheezy(unfixed)end-of-life
libkohana2-phpsourcejessie(not affected)
libkohana2-phpsource(unstable)(unfixed)

Notes

[jessie] - libkohana2-php <not-affected> (orderby function properly checks for allowed values)
https://github.com/huzr2018/orderby_SQLi/tree/master/kohana
https://github.com/koseven/koseven/issues/323
Search for package or bug name: Reporting problems