Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/55328?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55328?format=api", "vulnerability_id": "VCID-m1dk-ptr5-23c2", "summary": "ZendFramework potential SQL Injection Vector When Using PDO_MySql\nDevelopers using non-ASCII-compatible encodings in conjunction with the MySQL PDO driver of PHP may be vulnerable to SQL injection attacks. Developers using ASCII-compatible encodings like UTF8 or latin1 are not affected by this PHP issue, which is described in more detail here:\n\nhttp://bugs.php.net/bug.php?id=47802\nThe PHP Group included a feature in PHP 5.3.6+ that allows any character set information to be passed as part of the DSN in PDO to allow both the database as well as the C-level driver to be aware of which charset is in use which is of special importance when PDO's quoting mechanisms are utilized, which Zend Framework also relies on.", "aliases": [ { "alias": "GHSA-qf36-fx9f-232x" } ], "fixed_packages": [], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/51166?format=api", "purl": "pkg:composer/zendframework/zendframework1@1.10.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-m1dk-ptr5-23c2" }, { "vulnerability": "VCID-m1p7-zwwq-jbdg" }, { "vulnerability": "VCID-v3p7-aj4a-33d5" }, { "vulnerability": "VCID-zghw-vr2u-pkf3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.10.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/51202?format=api", "purl": "pkg:composer/zendframework/zendframework1@1.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cp1a-fprd-9fhk" }, { "vulnerability": "VCID-j5kg-jzxz-ruam" }, { "vulnerability": "VCID-m1dk-ptr5-23c2" }, { "vulnerability": "VCID-m1p7-zwwq-jbdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework1@1.11.0" } ], "references": [ { "reference_url": "http://bugs.php.net/bug.php?id=47802", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://bugs.php.net/bug.php?id=47802" }, { "reference_url": "https://framework.zend.com/security/advisory/ZF2011-02", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://framework.zend.com/security/advisory/ZF2011-02" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2011-02.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2011-02.yaml" }, { "reference_url": "https://github.com/zendframework/zf1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zendframework/zf1" }, { "reference_url": "https://github.com/advisories/GHSA-qf36-fx9f-232x", "reference_id": "GHSA-qf36-fx9f-232x", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qf36-fx9f-232x" } ], "weaknesses": [ { "cwe_id": 89, "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "description": "The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "9.0 - 10.0", "exploitability": "0.5", "weighted_severity": "9.0", "risk_score": 4.5, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m1dk-ptr5-23c2" }