CVE-2014-8089
Description
SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Zend Framework's sqlsrv driver allows remote attackers to execute arbitrary SQL commands via a null byte.
Vulnerability
Description CVE-2014-8089 is a SQL injection vulnerability in Zend Framework when using the sqlsrv PHP extension. The flaw allows remote attackers to inject arbitrary SQL commands by sending a null byte in input parameters, which is not properly sanitized before being used in database queries. This affects versions before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3 [1].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted null byte to a SQL query parameter. The attack is performed remotely and does not require authentication, as the injection occurs through user-supplied input that is processed by the sqlsrv extension. The vulnerability is triggered when the framework constructs SQL statements using untrusted data without proper escaping or parameterization [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands on the underlying database. This can lead to unauthorized data access, data modification, or complete compromise of the database server. The impact is critical as it bypasses security controls and can expose sensitive information [1][3][4].
Mitigation
Zend Framework addressed this issue by releasing patched versions: 1.12.9, 2.2.8, and 2.3.3. Users are advised to upgrade immediately. Red Hat also backported fixes to Fedora and EPEL repositories [2]. No workaround is available, so updating the framework is essential to prevent exploitation.
- NVD - CVE-2014-8089
- SQL injection issue when using the sqlsrv PHP extension (ZF2014-06)
- security-advisories/zendframework/zendframework1/CVE-2014-8089.yaml at master · FriendsOfPHP/security-advisories
- security-advisories/zendframework/zend-db/CVE-2014-8089.yaml at master · FriendsOfPHP/security-advisories
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
zendframework/zendframework1Packagist | >= 1.12.0, < 1.12.9 | 1.12.9 |
zendframework/zend-dbPackagist | >= 2.0.0, < 2.0.99 | 2.0.99 |
zendframework/zend-dbPackagist | >= 2.1.0, < 2.1.99 | 2.1.99 |
zendframework/zend-dbPackagist | >= 2.2.0, < 2.2.8 | 2.2.8 |
zendframework/zend-dbPackagist | >= 2.3.0, < 2.3.3 | 2.3.3 |
zendframework/zendframeworkPackagist | >= 2.0.0, < 2.0.99 | 2.0.99 |
zendframework/zendframeworkPackagist | >= 2.1.0, < 2.1.99 | 2.1.99 |
zendframework/zendframeworkPackagist | >= 2.2.0, < 2.2.8 | 2.2.8 |
zendframework/zendframeworkPackagist | >= 2.3.0, < 2.3.3 | 2.3.3 |
Affected products
4- Zend/Zend Frameworkdescription
- ghsa-coords3 versionspkg:composer/zendframework/zend-dbpkg:composer/zendframework/zendframeworkpkg:composer/zendframework/zendframework1
>= 2.0.0, < 2.0.99+ 2 more
- (no CPE)range: >= 2.0.0, < 2.0.99
- (no CPE)range: >= 2.0.0, < 2.0.99
- (no CPE)range: >= 1.12.0, < 1.12.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-qh9w-r7g5-q939ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-8089ghsaADVISORY
- framework.zend.com/security/advisory/ZF2014-06ghsax_refsource_MISCWEB
- seclists.org/oss-sec/2014/q4/276ghsax_refsource_MISCWEB
- www.securityfocus.com/bid/70011ghsavdb-entryx_refsource_BIDWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- framework.zend.com/security/advisory/ZF2014-06ghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-db/CVE-2014-8089.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2014-8089.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2014-8089.yamlghsaWEB
News mentions
0No linked articles in our index yet.