CVE-2021-3850: 
PHP vulnerability analysis and mitigation

Authentication Bypass vulnerability (CVE-2021-3850) was discovered in ADOdb library for PHP versions prior to 5.20.21. The vulnerability allows attackers to inject values into the PostgreSQL connection string by bypassing the adodb_addslashes() function. This security flaw was initially reported by Emmet Leahy of Sorcery Ltd (Debian Security, GitHub Commit).

The vulnerability exists in the PostgreSQL connection handling where the adodb_addslashes() function could be bypassed. An attacker could exploit this by surrounding the username in quotes and submitting with other parameters injected in between. The vulnerability has been assigned a CVSS 3.1 base score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Ubuntu CVE).

The vulnerability could lead to authentication bypass, potential exposure of server IP addresses, and other unspecified impacts depending on how the library is implemented. The high severity rating indicates significant potential for unauthorized access and data manipulation (Debian LTS).

The vulnerability has been fixed in ADOdb version 5.20.21 and later. Various Linux distributions have released security updates: Ubuntu has fixed versions available for multiple releases (5.20.19-1ubuntu0.1 for 22.04 LTS), Debian has released updates (5.20.14-1+deb10u1 for buster, 5.20.19-1+deb11u1 for bullseye), and fixes are available through Ubuntu Pro for ESM Apps (Ubuntu CVE, Debian Security).