Severity: HIGH
Description: Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API (PHPCR) using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to version 1.7.4 to resolve this issue. If that is not possible, you can escape all places where `$property` is used to filter `sv:name` in the class `Jackalope\Transport\DoctrineDBAL\Query\QOMWalker`: `XPath::escape($property)`. Node names and xpaths can contain `"` or `;` according to the JCR specification. The jackalope component that translates the query object model into doctrine dbal queries does not properly escape the names and paths, so that a accordingly crafted node name can lead to an SQL injection. If queries are never done from user input, or if you validate the user input to not contain `;`, you are not affected.
CVSS Score: 8.5
B
No data available.
No data available.
1. Risk Assessment
The vulnerability CVE-2021-43822 is a SQL injection flaw within the Jackalope Doctrine-DBAL component, a PHP implementation of the PHPCR API. The vulnerability stems from inadequate escaping of node names and xpaths when constructing SQL queries, allowing a malicious actor to inject arbitrary SQL code. The base CVSS score of 8.5 (HIGH) indicates a significant risk. The attack complexity is rated as HIGH, meaning successful exploitation requires some level of skill and understanding of the application and underlying database. However, privileges required are low, and user interaction is none, meaning an attacker can exploit the vulnerability without needing elevated privileges or direct user interaction. The scope is changed, meaning the attacker can impact components beyond the vulnerable application. Successful exploitation could lead to high impact on Confidentiality, Integrity, and Availability – potentially allowing an attacker to read sensitive data, modify existing data, or even disrupt service entirely. The EPSS score of 0.002410000 suggests a relatively low but non-negligible probability of exploitation in the wild. Business impact could range from data breaches and data corruption to service outages, depending on the specific implementation and data stored within the Jackalope-managed repository.
2. Potential Attack Scenarios
An attacker could leverage this vulnerability by crafting a malicious node name or query containing embedded SQL code. For example, imagine a content repository used to store customer data. An attacker could submit a node name like: ‘; DROP TABLE customers;--’ This injected SQL code, if not properly escaped, could be executed by the database, leading to the complete loss of the customer data table. The attack vector is network-based, meaning the attacker can exploit the vulnerability remotely if the application is exposed to the internet or accessible from a compromised network. The attack process involves crafting the malicious node name or query, submitting it to the application, and observing the resulting SQL execution. Potential outcomes include data exfiltration, data modification, denial of service, and potentially even database server compromise depending on the database user’s privileges.
3. Mitigation Recommendations
The primary mitigation is to upgrade to version 1.7.4 or later of the Jackalope Doctrine-DBAL component. This version includes the necessary escaping to prevent the SQL injection. If upgrading is not immediately possible, the advisory recommends escaping all instances where `$property` is used to filter `sv:name` within the `Jackalope\Transport\DoctrineDBAL\Query\QOMWalker` class using `XPath::escape($property)`. Organizations should also review and validate user input used in node names and queries, especially if those inputs are not thoroughly sanitized elsewhere in the application. Specifically, ensure that semicolons (`;`) are either escaped or validated to prevent their use in injected SQL code. Refer to the following resources for more details:
- GitHub Security Advisory: https://github.com/jackalope/jackalope-doctrine-dbal/security/advisories/GHSA-ph98-v78f-jqrm
- Commit Fixing the Vulnerability: https://github.com/jackalope/jackalope-doctrine-dbal/commit/9d179a36d320330ddb303ea3a7c98d3a33d231db
4. Executive Summary
CVE-2021-43822 represents a HIGH risk SQL injection vulnerability in the Jackalope Doctrine-DBAL component, a PHP library used for managing content repositories. A successful attack could allow an attacker to read, modify, or delete data within the repository, potentially impacting critical business operations and sensitive customer information. The vulnerability is exploitable remotely with relatively low privileges. The most effective mitigation is to upgrade to version 1.7.4 of Jackalope Doctrine-DBAL. If an immediate upgrade is not feasible, implementing the recommended escaping mechanism is crucial. Addressing this vulnerability is important to protect data confidentiality, integrity, and availability, and to prevent potential data breaches or service disruptions. Prompt action is recommended to minimize the risk of exploitation.