GHSA-m2hh-2m46-x6j5: silverstripe/framework may disclose database credentials during connection failure
When running SilverStripe 3.7 or 4.x in dev mode with the mysqli database driver, there is a potential to disclose the connection details.
We have denylisted the sensitive parts of the connection information from being included in dev mode stack traces when database errors occur.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2018-018-1.yaml
- github.com/advisories/GHSA-m2hh-2m46-x6j5
- github.com/silverstripe/silverstripe-framework
- github.com/silverstripe/silverstripe-framework/commit/214e28127f5425b61c15b69f884afdbad31133c2
- github.com/silverstripe/silverstripe-framework/commit/54251952387394d72b221e797a80edfbf9a973ee
- github.com/silverstripe/silverstripe-framework/commit/9aabe0a0f7a061d87cc92923f8811e14d7a032f5
- www.silverstripe.org/download/security-releases/ss-2018-018
Code Behaviors & Features
Detect and mitigate GHSA-m2hh-2m46-x6j5 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →