CVE-2022-31631
published 2025-02-12CVE-2022-31631: In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying…
critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php7.4 | < php7.4 7.4.33-1+deb11u3 (bullseye) | php7.4 7.4.33-1+deb11u3 (bullseye) |
| debian | php8.2 | < php7.4 7.4.33-1+deb11u3 (bullseye) | php7.4 7.4.33-1+deb11u3 (bullseye) |
| php | php | >= 8.0.0 < 8.0.27 | 8.0.27 |
| php | php | >= 8.1.0 < 8.1.15 | 8.1.15 |
| php | php | >= 8.2.0 < 8.2.2 | 8.2.2 |
| php_group | php | >= 8.0.x < 8.0.27 | 8.0.27 |
| php_group | php | >= 8.1.x < 8.1.15 | 8.1.15 |
| php_group | php | >= 8.2.x < 8.2.2 | 8.2.2 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
osv9.1CRITICAL