CVE-2019-12149: silverstripe restfulserver and registry modules SQL injection vulnerability
9.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.57893%
CWE
Published
5/24/2022
Updated
4/25/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
silverstripe/restfulserver | composer | >= 2.1.0, < 2.1.2 | 2.1.2 |
silverstripe/registry | composer | >= 2.1.0, < 2.1.1 | 2.1.1 |
silverstripe/registry | composer | >= 2.2.0, < 2.2.1 | 2.2.1 |
silverstripe/restfulserver | composer | >= 1.0.0, < 1.0.9 | 1.0.9 |
silverstripe/restfulserver | composer | >= 2.0.0, < 2.0.4 | 2.0.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The provided vulnerability information describes SQL injection in silverstripe/restfulserver
and silverstripe/registry
modules, but no specific code examples, commit diffs, or patched function
details are available in the references. While the CWE-89 indicates improper SQL neutralization, the advisory materials (including SilverStripe's security notice and GitHub Advisory) don't disclose exact vulnerable functions
or file paths. Without access to pre-patch code or patch details, we can't confidently identify specific functions
. The vulnerability likely stems from unsanitized user input in REST API parameter handling (restfulserver
) or registry query builders, but this remains speculative.