cbcvebase.
CVE-2022-31625
published 2022-06-16

CVE-2022-31625: In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the…

PriorityP346high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
3.44%
87.5th percentile
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianphp7.4< php7.4 7.4.30-1+deb11u1 (bullseye)php7.4 7.4.30-1+deb11u1 (bullseye)
msrccbl2_php_on_cbl_mariner_2.0
paloaltopan-os
phpphp>= 7.4.0 < 7.4.307.4.30
phpphp>= 8.0.0 < 8.0.208.0.20
phpphp>= 8.1.0 < 8.1.78.1.7
php_groupphp>= 7.4.X < 7.4.307.4.30
php_groupphp>= 8.0.X < 8.0.208.0.20
php_groupphp>= 8.1.X < 8.1.78.1.7

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.1HIGH
vendor_debian8.1HIGH
vendor_msrc8.1HIGH
vendor_redhat8.1HIGH
vendor_ubuntu8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.