CVE-2022-31625
8.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| PHP Group | PHP | 7.4.X < 7.4.30 | affected |
| PHP Group | PHP | 8.0.X < 8.0.20 | affected |
| PHP Group | PHP | 8.1.X < 8.1.7 | affected |
Weaknesses
- CWE-590: CWE-590 Free of Memory not on the Heap
- CWE-824: CWE-824 Access of Uninitialized Pointer
ADP Enrichment
CVE Program Container
Additional References
- https://bugs.php.net/bug.php?id=81720
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZTZQKRGEYJT5UB4FGG3MOE72SQUHSL4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3T4MMEEZYYAEHPQMZDFN44PHORJWJFZQ/
- https://www.debian.org/security/2022/dsa-5179
- https://security.netapp.com/advisory/ntap-20220722-0005/
- https://security.gentoo.org/glsa/202209-20
- https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html
References
- https://bugs.php.net/bug.php?id=81720
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZTZQKRGEYJT5UB4FGG3MOE72SQUHSL4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3T4MMEEZYYAEHPQMZDFN44PHORJWJFZQ/
- https://www.debian.org/security/2022/dsa-5179
- https://security.netapp.com/advisory/ntap-20220722-0005/
- https://security.gentoo.org/glsa/202209-20
- https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.