CVE-2016-4861 — Zend Framework Allows SQL Injection

Description

The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.

How to fix CVE-2016-4861

To remediate CVE-2016-4861, upgrade the affected package to a fixed version below.

Debian/zendframework—upgrade to 1.12.9+dfsg-2+deb8u7 or later
—upgrade to 1.11.13-1.1+deb7u5 or later
—upgrade to 1.12.20 or later

Is CVE-2016-4861 being exploited?

Low — EPSS is 4.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 1.12.9+dfsg-2+deb8u7
from 0, < 1.11.13-1.1+deb7u5
from 0, < 1.12.20

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-4861
PATCHgithub.com/zendframework/zendframework
WEBjvndb.jvn.jp/jvndb/JVNDB-2016-000158
WEBjvn.jp/en/jp/JVN18926672/index.html
WEBframework.zend.com