CVE Vulnerabilities

CVE-2022-31631

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Published: Feb 12, 2025 | Modified: Feb 13, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
5.9 MODERATE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

Name Vendor Start Version End Version
Red Hat Enterprise Linux 8 RedHat php:8.0-8070020230118114629.ef331662 *
Red Hat Enterprise Linux 8 RedHat php:7.4-8080020230118140634.cc342424 *
Red Hat Enterprise Linux 9 RedHat php-0:8.0.27-1.el9_1 *
Red Hat Enterprise Linux 9 RedHat php:8.1-9020020230120141750.9 *
Php5 Ubuntu esm-infra-legacy/trusty *
Php5 Ubuntu trusty *
Php5 Ubuntu trusty/esm *
Php7.0 Ubuntu esm-infra/xenial *
Php7.0 Ubuntu xenial *
Php7.2 Ubuntu bionic *
Php7.4 Ubuntu focal *
Php8.1 Ubuntu jammy *
Php8.1 Ubuntu kinetic *
Php8.1 Ubuntu lunar *
Php8.1 Ubuntu upstream *

Potential Mitigations

References