Bug 2255192 (CVE-2021-3850) - CVE-2021-3850 php-adodb: authentication bypass in PostgreSQL connections
Summary: CVE-2021-3850 php-adodb: authentication bypass in PostgreSQL connections
Keywords:
Status: NEW
Alias: CVE-2021-3850
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2255193
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-12-19 06:48 UTC by TEJ RATHI
Modified: 2023-12-20 05:20 UTC (History)
1 user (show)

Fixed In Version: adodb 5.20.21, adodb 5.21.4
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability discovered in the PHP-ADOdb library allows an attacker to inject values into a PostgreSQL connection string by embedding a parameter within single quotes. Depending on the usage of the library in client software, this could potentially enable an attacker to circumvent the login process, potentially gaining unauthorized access to sensitive information such as the server's IP address.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description TEJ RATHI 2023-12-19 06:48:18 UTC 
Authentication Bypass by Primary Weakness in GitHub repository adodb/adodb prior to 5.20.21.

https://huntr.com/bounties/bdf5f216-4499-4225-a737-b28bc6f5801c/
https://github.com/ADOdb/ADOdb/issues/793
https://github.com/ADOdb/ADOdb/security/advisories/GHSA-65mj-7c86-79jf
https://github.com/adodb/adodb/commit/952de6c4273d9b1e91c2b838044f8c2111150c29
Comment 1 TEJ RATHI 2023-12-19 06:48:43 UTC 
Created php-adodb tracking bugs for this issue:

Affects: epel-all [bug 2255193]
Comment 2 TEJ RATHI 2023-12-19 06:53:29 UTC 
Fedora-38 and above are already using php-adodb-5.22.6-1 and later versions. Hence, setting fedora as not-affected.
Note You need to log in before you can comment on or make changes to this bug.