Bug 2255192 (CVE-2021-3850)

Summary: CVE-2021-3850 php-adodb: authentication bypass in PostgreSQL connections
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ahanwate
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: adodb 5.20.21, adodb 5.21.4 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability discovered in the PHP-ADOdb library allows an attacker to inject values into a PostgreSQL connection string by embedding a parameter within single quotes. Depending on the usage of the library in client software, this could potentially enable an attacker to circumvent the login process, potentially gaining unauthorized access to sensitive information such as the server's IP address.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2255193    
Bug Blocks:    

Comment 1 TEJ RATHI 2023-12-19 06:48:43 UTC
Created php-adodb tracking bugs for this issue:

Affects: epel-all [bug 2255193]

Comment 2 TEJ RATHI 2023-12-19 06:53:29 UTC
Fedora-38 and above are already using php-adodb-5.22.6-1 and later versions. Hence, setting fedora as not-affected.