CVE-2022-31631

CWE-74 CWE-190 — Integer Overflow9 documents7 sources

Severity

9.1CRITICAL

EPSS

0.7%

top 28.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP PHP PHP

Timeline

PublishedFeb 12

Latest updateFeb 13

Description

In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages5 packages

▶NVDphp/php8.0.0 — 8.0.27+2

▶CVEListV5php_group/php8.0.x — 8.0.27+2

▶Debianphp7.4< 7.4.33-1+deb11u3

▶Debianphp8.2< 8.2.1-1

▶Ubuntuphp7.0< 7.0.33-0ubuntu0.16.04.16+esm5

🔴Vulnerability Details

GHSA

GHSA-4qmr-c42j-3wg2: In PHP versions 8↗2025-02-13

▶

OSV

CVE-2022-31631: In PHP versions 8↗2025-02-12

▶

CVEList

PDO::quote() may return unquoted string↗2025-02-12

▶

OSV

php7.0 vulnerabilities↗2023-03-02

▶

📋Vendor Advisories

Ubuntu

PHP vulnerabilities↗2023-03-02

▶

Ubuntu

PHP vulnerability↗2023-01-23

▶

Red Hat

php: PDO:: quote() may return unquoted string due to an integer overflow↗2023-01-05

▶

Debian

CVE-2022-31631: php7.4 - In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 whe...↗2022

▶