SS-2018-018: Database credentials disclosure during connection failure
- Severity:
- Medium (?)
- Identifier:
- SS-2018-018
- Versions Affected:
- silverstripe/framework:^3.7, silverstripe/framework:^4.0
- Versions Fixed:
- silverstripe/framework:3.7.1, silverstripe/framework:4.0.5, silverstripe/framework:4.1.3, silverstripe/framework:4.2.2, silverstripe/framework:4.3.0
- Release Date:
- 2018-11-07
When running SilverStripe 3.7 or 4.x in dev mode with the mysqli database driver, there is a potential to disclose the connection details.
We have blacklisted the sensitive parts of the connection information from being included in dev mode stack traces when database errors occur.
Reported by Dylan Wagstaff (SilverStripe Ltd) and Lukas Erni.