Most notabely it is *not* an SQL injection bug, it is a logic error that might cause an SQL query to have different operator precedence with AND/OR conditions that were expected from the DQL leading to data loss or information leaks.
On Wed, Apr 21, 2021 at 9:45 AM Marco Pivetta <[email protected]> wrote: > It is not a false positive: it is a critical bug that can potentially lead > to data exfiltration. > > The report is wrong in its version range though: only 2.8.3 is affected, > while both 2.8.2 and 2.8.4 are OK. > > https://github.com/FriendsOfPHP/security-advisories/pull/548 > > On Wed, Apr 21, 2021, 05:00 Alex Mahone <[email protected]> wrote: > >> >> Hi, our security team used superduck to scan the code and found that the >> ORM reported a security issue, but we checked the code. Is this will cause >> a security issue? If no, can we eliminate this false positive? >> >> Issue reported by Vulnerability DB: >> https://snyk.io//vuln/SNYK-PHP-DOCTRINEORM-1243727 >> >> Thanks. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "doctrine-user" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/doctrine-user/e39e11ff-3c5a-4e70-8e53-a35150e5eec8n%40googlegroups.com >> <https://groups.google.com/d/msgid/doctrine-user/e39e11ff-3c5a-4e70-8e53-a35150e5eec8n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "doctrine-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/doctrine-user/CADyq6sJ6-DVnFr%2BUQmSeVvLn7m5jpTpxptZ7r1OoCpFwoRuvYA%40mail.gmail.com > <https://groups.google.com/d/msgid/doctrine-user/CADyq6sJ6-DVnFr%2BUQmSeVvLn7m5jpTpxptZ7r1OoCpFwoRuvYA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "doctrine-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/doctrine-user/CAEPJduk-onVPGvmfbeLVJDfX5ugozx2K0j7jnXLEBFi6ByGhnA%40mail.gmail.com.
