CVE-2021-43822

Name of the Vulnerable Software and Affected Versions: Jackalope Doctrine-DBAL versions prior to 1.7.4

Description: The issue allows users to provoke SQL injections if they can specify a node name or query. This is because the jackalope component that translates the query object model into doctrine dbal queries does not properly escape the names and paths. Node names and xpaths can contain " or ; according to the JCR specification. If queries are never done from user input, or if you validate the user input to not contain ;, you are not affected.

Recommendations: Upgrade to version 1.7.4 to resolve this issue. If that is not possible, escape all places where $property is used to filter sv:name in the class JackalopeTransportDoctrineDBALQueryQOMWalker: XPath::escape($property). As a temporary workaround, consider validating user input to not contain ; to minimize the risk of exploitation.