cbcvebase.
CVE-2022-31626
published 2022-06-16

CVE-2022-31626: In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to…

PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
58.38%
99.0th percentile
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianphp7.4< php7.4 7.4.30-1+deb11u1 (bullseye)php7.4 7.4.30-1+deb11u1 (bullseye)
msrccbl2_php_on_cbl_mariner_2.0
paloaltopan-os
phpphp>= 7.4.0 < 7.4.307.4.30
phpphp>= 8.0.0 < 8.0.208.0.20
phpphp>= 8.1.0 < 8.1.78.1.7
php_groupphp>= 7.4.X < 7.4.307.4.30
php_groupphp>= 8.0.X < 8.0.208.0.20
php_groupphp>= 8.1.X < 8.1.78.1.7

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered via pdo_mysql extension using the mysqlnd driver when a third party supplies an excessively long password — monitor for abnormally long password strings passed through PDO MySQL connections
  • The buffer overflow occurs specifically in mysqlnd_wireprotocol.c within the mysqlnd/pdo code path — focus code review and runtime monitoring on this file/component
  • ·Only PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7 are affected; versions outside these ranges are not vulnerable
  • ·Vulnerability is only exploitable when the pdo_mysql extension is loaded with the mysqlnd driver (not libmysqlclient); verify driver in use before assessing exposure
  • ·Exploitation requires the attacker to control both the MySQL host and the password supplied to the connection — applications that do not expose these parameters to untrusted input are not at risk
  • ·Red Hat Enterprise Linux 6 and 7 ship a version of php that is marked Not Affected for this CVE

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_ubuntu8.1HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.