CVE-2022-31631

Description

In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.

How to fix CVE-2022-31631

To remediate CVE-2022-31631, upgrade the affected package to a fixed version below.

• —upgrade to 8.0.27 or later
• —upgrade to 8.0.27 or later
• —upgrade to 8.0.27 or later
• —upgrade to 7.3.31-1~deb10u3 or later
• —upgrade to 7.4.33-1+deb11u3 or later
• —upgrade to 7.4.33-1+deb11u3 or later
• —upgrade to 8.2.1-1 or later

Is CVE-2022-31631 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

• >= 8.0.0, < 8.0.27, >= 8.1.0, < 8.1.15, >= 8.2.0, < 8.2.2
• >= 8.0.0, < 8.0.27, >= 8.1.0, < 8.1.15, >= 8.2.0, < 8.2.2
• >= 8.0.0, < 8.0.27, >= 8.1.0, < 8.1.15, >= 8.2.0, < 8.2.2
• from 0, < 7.3.31-1~deb10u3
• from 0, < 7.4.33-1+deb11u3
• from 0, < 7.4.33-1+deb11u3
• from 0, < 8.2.1-1

CVSS scores

References (4)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-31631
• WEBbugs.php.net/bug.php?id=81740
• WEBnvd.nist.gov/vuln/detail/CVE-2022-31631
• WEBsecurity.netapp.com/advisory/ntap-20230223-0007/