SQL injection in Debian Linux - CVE-2015-7695
Published: June 7, 2016 / Updated: August 9, 2020
Vulnerability identifier: #VU40249
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2015-7695
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Debian
Affected software:
Debian Linux
Debian Linux
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The PDO adapters in Zend Framework before 1.12.16 do not filer null bytes in SQL statements, which allows remote attackers to execute arbitrary SQL commands via a crafted query.
How to mitigate CVE-2015-7695
Install update from vendor's website.
Sources
- http://framework.zend.com/security/advisory/ZF2015-08
- http://www.debian.org/security/2015/dsa-3369
- http://www.openwall.com/lists/oss-security/2015/09/30/6
- http://www.openwall.com/lists/oss-security/2015/09/30/8
- http://www.openwall.com/lists/oss-security/2015/10/11/3
- http://www.securityfocus.com/bid/76784