CVE-2014-4914

Published: 29 December 2017

The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors.

Priority

CVSS 3 base score: 9.8

Status

Package	Release	Status
zendframework Launchpad, Ubuntu, Debian	lucid	Ignored (reached end-of-life)
	precise	Does not exist
	saucy	Does not exist
	trusty	Does not exist
	upstream	Needs triage

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914
http://framework.zend.com/security/advisory/ZF2014-04
https://github.com/zendframework/zf1/commit/da09186c60b9168520e994af4253fba9c19c2b3d
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754201

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›