CVE-2016-4861

moderate-risk

Published 2017-02-17

The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.

Do I need to act?

~

4.0% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

9

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (4)

Fedora

Zend Framework

Fedora

Fedora

Affected Vendors

Zend Fedoraproject

References (16)

Third Party Advisory http://jvn.jp/en/jp/JVN18926672/index.html

Third Party Advisory http://jvndb.jvn.jp/jvndb/JVNDB-2016-000158

Exploit https://framework.zend.com/security/advisory/ZF2016-03

https://lists.debian.org/debian-lts-announce/2018/06/msg00012.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

https://security.gentoo.org/glsa/201804-10

Third Party Advisory http://jvn.jp/en/jp/JVN18926672/index.html

Third Party Advisory http://jvndb.jvn.jp/jvndb/JVNDB-2016-000158

Exploit https://framework.zend.com/security/advisory/ZF2016-03

https://lists.debian.org/debian-lts-announce/2018/06/msg00012.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

https://security.gentoo.org/glsa/201804-10

49

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 7/34 · Low

Exposure 10/34 · Low