CVE-2021-43608: 
PHP vulnerability analysis and mitigation

Doctrine DBAL versions 3.x before 3.1.4 contained a critical SQL injection vulnerability in the LIMIT clause generation API. The vulnerability was discovered in November 2021 and assigned identifier CVE-2021-43608. The issue affected the Platform abstraction component, specifically when handling offset and length inputs for LIMIT clause generation (Doctrine Advisory, NVD).

The vulnerability occurred because the escaping of offset and length inputs to the generation of a LIMIT clause was not properly cast to an integer, allowing SQL injection when application developers passed unescaped user input to the DBAL QueryBuilder or any other API that ultimately uses the AbstractPlatform::modifyLimitQuery API. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow attackers to perform SQL injection attacks through unescaped user input, potentially leading to unauthorized access to or modification of database contents. Given the CVSS score of 9.8, this vulnerability could result in a complete compromise of system confidentiality, integrity, and availability (NVD).

The vulnerability was fixed in Doctrine DBAL version 3.1.4. Users are strongly advised to upgrade to this version immediately. As a temporary workaround, users can cast all limit and offset parameters to integers before passing them to Doctrine APIs (Doctrine Advisory).