silverstripe/framework may disclose database credentials during connection failure
When running SilverStripe 3.7 or 4.x in dev mode with the mysqli database driver, there is a potential to disclose the connection details.
We have blacklisted the sensitive parts of the connection information from being included in dev mode stack traces when database errors occur.
| Software | From | Fixed in |
|---|---|---|
silverstripe / framework
|
3.7.0-rc1 | 3.7.1 |
|
silverstripe / framework
|
4.0.0-rc1 | 4.0.5 |
|
silverstripe / framework
|
4.1.0-rc1 | 4.1.3 |
|
silverstripe / framework
|
4.2.0-rc1 | 4.2.2 |
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2018-018-1.yaml
- https://github.com/silverstripe/silverstripe-framework/commit/214e28127f5425b61c15b69f884afdbad31133c2
- https://github.com/silverstripe/silverstripe-framework/commit/54251952387394d72b221e797a80edfbf9a973ee
- https://github.com/silverstripe/silverstripe-framework/commit/9aabe0a0f7a061d87cc92923f8811e14d7a032f5
- https://www.silverstripe.org/download/security-releases/ss-2018-018
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime