silverstripe/framework may disclose database credentials during connection failure · GHSA-m2hh-2m46-x6j5 · GitHub Advisory Database · GitHub

silverstripe/framework may disclose database credentials during connection failure

Moderate severity GitHub Reviewed Published May 28, 2024 to the GitHub Advisory Database • Updated May 28, 2024

Package

silverstripe/framework (Composer)

Affected versions

>= 3.7.0-rc1, < 3.7.1

>= 4.0.0-rc1, < 4.0.5

>= 4.1.0-rc1, < 4.1.3

>= 4.2.0-rc1, < 4.2.2

Patched versions

3.7.1

4.0.5

4.1.3

4.2.2

Description

When running SilverStripe 3.7 or 4.x in dev mode with the mysqli database driver, there is a potential to disclose the connection details.

We have blacklisted the sensitive parts of the connection information from being included in dev mode stack traces when database errors occur.

References

Published to the GitHub Advisory Database May 28, 2024

Reviewed May 28, 2024

Last updated May 28, 2024

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N