PatchSiren cyber security CVE debrief

CVE-2016-6233 Fedoraproject CVE debrief

CVE-2016-6233 is a critical SQL injection vulnerability in Zend Framework’s Zend_Db_Select component. The issue affects the order and group methods in versions before 1.12.19 and is described as involving a regular-expression pattern that can be abused by remote attackers. Because the NVD record rates it CVSS 9.8 with network access, no privileges, and no user interaction required, this should be treated as an urgent patching issue for any exposed or database-backed application using the affected framework build.

Vendor: Fedoraproject
Product: CVE-2016-6233
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-17
Original CVE updated: 2026-05-13
Advisory published: 2017-02-17
Advisory updated: 2026-05-13

Who should care

Application owners, platform teams, and security engineers responsible for Zend Framework deployments prior to 1.12.19. Also review downstream packages or distro builds that embed the affected framework, including the Fedora CPEs listed in the NVD record.

Technical summary

The vulnerability is reported in Zend_Db_Select’s order and group methods, where use of the character pattern [\w]* in a regular expression can permit SQL injection. NVD classifies the weakness as CWE-89. The NVD CVSS 3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable issue with potentially severe confidentiality, integrity, and availability impact. The NVD CPE data marks Zend Framework versions up to and including 1.12.19 as vulnerable, and also lists Fedora 23, 24, and 25 CPE entries as vulnerable.

Defensive priority

Immediate. Patch or replace the affected Zend Framework version as soon as possible, especially in internet-facing services or applications that generate SQL through Zend_Db_Select.

Recommended defensive actions

Upgrade Zend Framework to 1.12.19 or later, or to a vendor-supported release that includes the fix.
Inventory applications and libraries that use Zend_Db_Select order and group methods, and verify whether they depend on vulnerable framework versions.
Review the application’s database query generation paths for any reliance on user-controlled ordering or grouping inputs.
For packaged deployments, check distro advisories and update the relevant Fedora packages or downstream builds that include the fixed framework.
After remediation, perform regression testing on affected SQL-generation code paths to confirm behavior remains correct.
Track exposure in asset inventory and prioritize external-facing systems first.

Evidence notes

Source evidence in the supplied corpus includes the NVD record for CVE-2016-6233, which lists CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and CWE-89. The NVD CPE data marks cpe:2.3:a:zend:zend_framework:* with versionEndIncluding 1.12.19 as vulnerable, and also lists Fedora 23, 24, and 25 CPE entries. The referenced Zend security advisory ZF2016-02 is included in the corpus as the vendor advisory reference.

Official resources

CVE-2016-6233 CVE record
CVE.org
CVE-2016-6233 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Exploit, Technical Description, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

Publicly recorded by NVD with a published date of 2017-02-17. The supplied corpus also references the Zend Framework vendor advisory ZF2016-02 as the primary technical disclosure source.