CVE-2015-7876 - Vulnerability Details - OpenCVE

The escapeLike function in sqlsrv/database.inc in the Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x before 7.x-1.4 does not properly escape certain characters, which allows remote attackers to execute arbitrary SQL commands via vectors involving a module using the db_like function.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Drupal 7 Driver For Sql Server And Sql Azure Project	Drupal 7 Driver For Sql Server And Sql Azure

Configuration 1 [-]

OR	cpe:2.3:a:drupal_7_driver_for_sql_server_and_sql_azure_project:drupal_7_driver_for_sql_server_and_sql_azure:7.x-1.0:::::drupal::
	cpe:2.3:a:drupal_7_driver_for_sql_server_and_sql_azure_project:drupal_7_driver_for_sql_server_and_sql_azure:7.x-1.1:::::drupal::
	cpe:2.3:a:drupal_7_driver_for_sql_server_and_sql_azure_project:drupal_7_driver_for_sql_server_and_sql_azure:7.x-1.2:::::drupal::
	cpe:2.3:a:drupal_7_driver_for_sql_server_and_sql_azure_project:drupal_7_driver_for_sql_server_and_sql_azure:7.x-1.3:::::drupal::

No data.

References

Link	Providers
http://cgit.drupalcode.org/sqlsrv/commit/?id=2ea0da8
https://www.drupal.org/node/2569003
https://www.drupal.org/node/2569005
https://www.drupal.org/node/2569577

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-10-21T14:00:00

Updated: 2024-08-06T08:06:30.672Z

Reserved: 2015-10-21T00:00:00

Link: CVE-2015-7876

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-10-21T14:59:00.103

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-7876

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-09-16T00:00:00", "descriptions": [{"lang": "en", "value": "The escapeLike function in sqlsrv/database.inc in the Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x before 7.x-1.4 does not properly escape certain characters, which allows remote attackers to execute arbitrary SQL commands via vectors involving a module using the db_like function."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-04-04T15:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.drupal.org/node/2569577"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/node/2569005"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/node/2569003"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://cgit.drupalcode.org/sqlsrv/commit/?id=2ea0da8"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-7876", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The escapeLike function in sqlsrv/database.inc in the Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x before 7.x-1.4 does not properly escape certain characters, which allows remote attackers to execute arbitrary SQL commands via vectors involving a module using the db_like function."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.drupal.org/node/2569577", "refsource": "MISC", "url": "https://www.drupal.org/node/2569577"}, {"name": "https://www.drupal.org/node/2569005", "refsource": "CONFIRM", "url": "https://www.drupal.org/node/2569005"}, {"name": "https://www.drupal.org/node/2569003", "refsource": "CONFIRM", "url": "https://www.drupal.org/node/2569003"}, {"name": "http://cgit.drupalcode.org/sqlsrv/commit/?id=2ea0da8", "refsource": "CONFIRM", "url": "http://cgit.drupalcode.org/sqlsrv/commit/?id=2ea0da8"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T08:06:30.672Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.drupal.org/node/2569577"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.drupal.org/node/2569005"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.drupal.org/node/2569003"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://cgit.drupalcode.org/sqlsrv/commit/?id=2ea0da8"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-7876", "datePublished": "2015-10-21T14:00:00", "dateReserved": "2015-10-21T00:00:00", "dateUpdated": "2024-08-06T08:06:30.672Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal_7_driver_for_sql_server_and_sql_azure_project:drupal_7_driver_for_sql_server_and_sql_azure:7.x-1.0:*:*:*:*:drupal:*:*", "matchCriteriaId": "15F81725-1142-4AFB-A10A-1C3BFA874EF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal_7_driver_for_sql_server_and_sql_azure_project:drupal_7_driver_for_sql_server_and_sql_azure:7.x-1.1:*:*:*:*:drupal:*:*", "matchCriteriaId": "F51874BA-1E8D-45AC-8556-2B3CC8CAA0D3", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal_7_driver_for_sql_server_and_sql_azure_project:drupal_7_driver_for_sql_server_and_sql_azure:7.x-1.2:*:*:*:*:drupal:*:*", "matchCriteriaId": "7C55A8BD-818E-4E75-9240-CD50CEBA7EF9", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal_7_driver_for_sql_server_and_sql_azure_project:drupal_7_driver_for_sql_server_and_sql_azure:7.x-1.3:*:*:*:*:drupal:*:*", "matchCriteriaId": "57B193C3-F9E7-4B15-A90A-987473DB6F97", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The escapeLike function in sqlsrv/database.inc in the Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x before 7.x-1.4 does not properly escape certain characters, which allows remote attackers to execute arbitrary SQL commands via vectors involving a module using the db_like function."}, {"lang": "es", "value": "La funci\u00f3n escapeLike en sqlsrv/database.inc en el controlador de Drupal 7 para SQL Server y SQL Azure 7.x-1.x en versiones anteriores a 7.x-1.4 no escapa adecuadamente ciertos car\u00e1cteres, lo que permite a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s de vectores que implican un m\u00f3dulo que usa la funci\u00f3n db_like."}], "id": "CVE-2015-7876", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-10-21T14:59:00.103", "references": [{"source": "cve@mitre.org", "url": "http://cgit.drupalcode.org/sqlsrv/commit/?id=2ea0da8"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://www.drupal.org/node/2569003"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://www.drupal.org/node/2569005"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://www.drupal.org/node/2569577"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://cgit.drupalcode.org/sqlsrv/commit/?id=2ea0da8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://www.drupal.org/node/2569003"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://www.drupal.org/node/2569005"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://www.drupal.org/node/2569577"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}