CVE-2015-7695 — Zend Framework SQL injection vector using null byte for PDO

Description

The PDO adapters in Zend Framework before 1.12.16 do not filer null bytes in SQL statements, which allows remote attackers to execute arbitrary SQL commands via a crafted query.

How to fix CVE-2015-7695

To remediate CVE-2015-7695, upgrade the affected package to a fixed version below.

Debian/zendframework—upgrade to 1.10.6-1squeeze6 or later
—upgrade to 1.12.16 or later

Is CVE-2015-7695 being exploited?

Low — EPSS is 2.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.10.6-1squeeze6
from 0, < 1.12.16

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-7695
PATCHgithub.com/zendframework/zf1
WEBframework.zend.com/security/advisory/ZF2015-08
WEBwww.debian.org/security/2015/dsa-3369
WEBwww.openwall.com