CVE-2021-43608 – CVE-2021-43608 is a SQL injection vulnerability... (How to Fix)

Q: What is the severity of CVE-2021-43608?

CVE-2021-43608 has a CVSS score of 9.8 (CRITICAL). CVE-2021-43608 is a SQL injection vulnerability in Doctrine DBAL where offset and length parameters in LIMIT clauses aren't properly cast to integers. This allows attackers to inject malicious SQL if applications pass unescaped user input to QueryBuilder or related APIs. Applications using Doctrine DBAL 3.x before 3.1.4 are affected.

📋 TL;DR

CVE-2021-43608 is a SQL injection vulnerability in Doctrine DBAL where offset and length parameters in LIMIT clauses aren't properly cast to integers. This allows attackers to inject malicious SQL if applications pass unescaped user input to QueryBuilder or related APIs. Applications using Doctrine DBAL 3.x before 3.1.4 are affected.

💻 Affected Systems

Products:

Doctrine Database Abstraction Layer (DBAL)

Versions: 3.x before 3.1.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when applications pass unescaped user input to QueryBuilder or APIs using AbstractPlatform::modifyLimitQuery.

📦 What is this software?

Database Abstraction Layer by Doctrine Project

View all CVEs affecting Database Abstraction Layer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise including data theft, modification, or deletion, and potential remote code execution depending on database configuration.

🟠

Likely Case

Data exfiltration, unauthorized data modification, and potential privilege escalation through SQL injection.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place.

🌐 Internet-Facing: HIGH - Web applications accepting user input for pagination, sorting, or limit operations are directly exposed.

🏢 Internal Only: MEDIUM - Internal applications could still be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly exploited, and the vulnerability is in a widely used database abstraction library.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.4 or later

Vendor Advisory: https://github.com/doctrine/dbal/security/advisories/GHSA-r7cj-8hjg-x622

Restart Required: No

Instructions:

1. Update Doctrine DBAL to version 3.1.4 or later using composer: 'composer require doctrine/dbal:^3.1.4' 2. Verify the update with 'composer show doctrine/dbal' 3. Test application functionality after update.

🔧 Temporary Workarounds

Input Validation Workaround

all

Manually validate and cast offset/limit parameters to integers before passing to DBAL

// PHP example: $limit = (int)$_GET['limit']; $offset = (int)$_GET['offset'];

🧯 If You Can't Patch

Implement strict input validation for all user-provided limit/offset parameters
Use parameterized queries and avoid passing raw user input to QueryBuilder limit methods

🔍 How to Verify

Check if Vulnerable:

Check composer.json or run 'composer show doctrine/dbal' to see if version is between 3.0.0 and 3.1.3

Check Version:

composer show doctrine/dbal | grep versions

Verify Fix Applied:

Confirm version is 3.1.4 or higher with 'composer show doctrine/dbal'

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries with LIMIT clauses containing non-numeric values
Database errors related to SQL syntax in LIMIT operations

Network Indicators:

HTTP requests with suspicious limit/offset parameters containing SQL keywords

SIEM Query:

web_logs WHERE (uri_query CONTAINS 'limit=' OR uri_query CONTAINS 'offset=') AND (uri_query CONTAINS 'UNION' OR uri_query CONTAINS 'SELECT' OR uri_query CONTAINS '--')

📊 Metadata

CVE ID: CVE-2021-43608

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: December 9, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/doctrine/dbal/commit/9dcfa4cb6c03250b78a84737ba7ceb82f4b7ba4d Patch,Third Party Advisory
https://github.com/doctrine/dbal/releases Release Notes,Third Party Advisory
https://github.com/doctrine/dbal/security/advisories/GHSA-r7cj-8hjg-x622 Third Party Advisory
https://www.doctrine-project.org/2021/11/11/dbal3-vulnerability-fixed.html Vendor Advisory
https://github.com/doctrine/dbal/commit/9dcfa4cb6c03250b78a84737ba7ceb82f4b7ba4d Patch,Third Party Advisory
https://github.com/doctrine/dbal/releases Release Notes,Third Party Advisory
https://github.com/doctrine/dbal/security/advisories/GHSA-r7cj-8hjg-x622 Third Party Advisory
https://www.doctrine-project.org/2021/11/11/dbal3-vulnerability-fixed.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43608, you might also want to check these: