codeigniter/framework SQL injection in ODBC database driver

CodeIgniter 3.1.0 addressed a critical security issue within the ODBC database driver. This update includes crucial fixes to mitigate a SQL injection vulnerability, preventing potential exploitation by attackers. It is noteworthy that these fixes render the query builder and escape() functions incompatible with the ODBC driver. However, the update introduces actual query binding as a more secure alternative.

Published: May 15, 2024
Updated: Jun 27, 2024
GHSA: GHSA-27qr-636m-wxg2
Severity: Critical
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
codeigniter / framework	-	3.1.0

https://forum.codeigniter.com/thread-65803.html
https://github.com/FriendsOfPHP/security-advisories/blob/master/codeigniter/framework/2016-07-26-1.yaml
https://github.com/simplysites/CodeIgniter/commit/3d10ffa77854044570a1809a884776fd4bbd8b70

Vulnerability Database

codeigniter/framework SQL injection in ODBC database driver