CVE-2019-12149: Potential SQL injection in restfulserver and registry modules
- Moderate (?)
- Versions Affected:
- silverstripe/restfulserver:^1.0, silverstripe/restfulserver:^2.0, silverstripe/registry:^2.1
- Versions Fixed:
- silverstripe/restfulserver:1.0.9, silverstripe/restfulserver:2.0.4, silverstripe/restfulserver:2.1.2, silverstripe/registry:2.1.1, silverstripe/registry:2.2.1
- Release Date:
A potential SQL injection vulnerability has been identified in the silverstripe/restfulserver and silverstripe/registry modules which may allow specially crafted user input to be executed as SQL statements. All users of silverstripe/restfulserver are affected. Users of silverstripe/registry will be affected if they have had a developer implement the features of the module, since it is not enabled by default.
Users with a Web Application Firewall (WAF) are typically less affected, since they protect against malicious request payloads by default, however we still advise customers to upgrade their versions of each of these modules at their early convenience. Note that the New Zealand Government Common Web Platform has a WAF.