CVE-2021-21704

MEDIUM5.0

Multiple vulnerabilities in Firebird client extension

Published Oct 4, 2021

Modified 1 years ago

No fix available

Details

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.

References

WEBhttps://bugs.php.net/bug.php?id=76448 WEBhttps://bugs.php.net/bug.php?id=76449 WEBhttps://bugs.php.net/bug.php?id=76450 WEBhttps://bugs.php.net/bug.php?id=76452 ADVISORYhttps://security.gentoo.org/glsa/202209-20 WEBhttps://security.netapp.com/advisory/ntap-20211029-0006/ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2021-21704

CVSS Analysis

CVSS v3.1

5.0

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

HighAC:H

Privileges Required

NonePR:N

User Interaction

RequiredUI:R

Scope

UnchangedS:U

Impact

Confidentiality

LowC:L

Integrity

LowI:L

Availability

LowA:L

5/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Weakness Type (CWE)

Memory Safety

CWE-125

Out-of-bounds Read

Other

CWE-190

Ecosystems

Timeline

PublishedOct 4, 2021

ModifiedSep 17, 2024