CVE-2022-31625

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.

Published: Jun 16, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-31625
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-763

Affected Software
References

Software	From	Fixed in
php / php	8.1.0	8.1.7
php / php	8.0.0	8.0.20
php / php	7.4.0	7.4.30
debian / debian_linux	10.0	10.0.x
debian / debian_linux	11.0	11.0.x

https://bugs.php.net/bug.php?id=81720
https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/3T4MMEEZYYAEHPQMZDFN44PHORJWJFZQ/
https://lists.fedoraproject.org/archives/list/[email protected]/message/ZZTZQKRGEYJT5UB4FGG3MOE72SQUHSL4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3T4MMEEZYYAEHPQMZDFN44PHORJWJFZQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZTZQKRGEYJT5UB4FGG3MOE72SQUHSL4/
https://security.gentoo.org/glsa/202209-20
https://security.netapp.com/advisory/ntap-20220722-0005/
https://www.debian.org/security/2022/dsa-5179

Vulnerability Database

289,689

CVE-2022-31625