Fluid Attacks Database

Description

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	php7.4	=7.4.21-1+deb11u1 \|\| =7.4.25-1+deb11u1 \|\| =7.4.26-1 \|\| =7.4.28-1+deb11u1 \|\| >=0 <7.4.30-1+deb11u1	7.4.30-1+deb11u1
rpm rhel8	php	<0:7.4.19-3.module+el8.6.0+15726+994cde98	0:7.4.19-3.module+el8.6.0+15726+994cde98
rpm rhel8.4	php	<0:7.4.6-5.module+el8.4.0+15727+276bb227	0:7.4.6-5.module+el8.4.0+15727+276bb227
rpm rhel9	php	<0:8.0.13-2.el9_0	0:8.0.13-2.el9_0

Aliases

1. CVE-2022-316262. NVD-2022-316263. OSV-DEBIAN-2022-316264. OSV-2022-316265. SECURITY-TRACKER-CVE-2022-31626

References

1. https://github.com/amitlttwo/CVE-2022-31626

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.