Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2018-018: Database credentials disclosure during connection failure

Severity:
Medium (?)
Identifier:
SS-2018-018
Versions Affected:
silverstripe/framework:^3.7, silverstripe/framework:^4.0
Versions Fixed:
silverstripe/framework:3.7.1, silverstripe/framework:4.0.5, silverstripe/framework:4.1.3, silverstripe/framework:4.2.2, silverstripe/framework:4.3.0
Release Date:
2018-11-07

When running SilverStripe 3.7 or 4.x in dev mode with the mysqli database driver, there is a potential to disclose the connection details.

We have blacklisted the sensitive parts of the connection information from being included in dev mode stack traces when database errors occur.

Reported by Dylan Wagstaff (SilverStripe Ltd) and Lukas Erni.