CVE-2021-43822

HIGH

Jackalope Doctrine-DBAL - SQL Injection

Title source: llm
STIX 2.1

Description

Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API (PHPCR) using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to version 1.7.4 to resolve this issue. If that is not possible, you can escape all places where `$property` is used to filter `sv:name` in the class `Jackalope\Transport\DoctrineDBAL\Query\QOMWalker`: `XPath::escape($property)`. Node names and xpaths can contain `"` or `;` according to the JCR specification. The jackalope component that translates the query object model into doctrine dbal queries does not properly escape the names and paths, so that a accordingly crafted node name can lead to an SQL injection. If queries are never done from user input, or if you validate the user input to not contain `;`, you are not affected.

References (2)

Core 2

Scores

CVSS v3 8.5
EPSS 0.0097
EPSS Percentile 57.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (2)
jackalope/jackalope-doctrine-dbal 0 - 1.7.4Packagist
jackalope_doctrine-dbal_project/jackalope_doctrine-dbal < 1.7.4
Published Dec 13, 2021
Tracked Since Feb 18, 2026