cvedb.io
CVE-2021-43822
HIGH · CVSS 8.5
EPSS exploitation probability: 0%
Published 2021-12-13T20:15:07.757 · Last modified 2026-06-17T04:11:30.757

Summary

Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API (PHPCR) using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to version 1.7.4 to resolve this issue. If that is not possible, you can escape all places where `$property` is used to filter `sv:name` in the class `Jackalope\Transport\DoctrineDBAL\Query\QOMWalker`: `XPath::escape($property)`. Node names and xpaths can contain `"` or `;` according to the JCR specification. The jackalope component that translates the query object model into doctrine dbal queries does not properly escape the names and paths, so that a accordingly crafted node name can lead to an SQL injection. If queries are never done from user input, or i

Affected products

jackalope_doctrine-dbal_project — jackalope_doctrine-dbal

Does this affect you?

Add your gear to cvedb and we'll alert you only when jackalope_doctrine-dbal_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.