CVE-2022-31626

Description

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.

Related CPE's

aphpphp********

aphpphp********

aphpphp********

References

https://bugs.php.net/bug.php?id=81719

ExploitIssue TrackingMailing ListPatchVendor Advisory

FEDORA-2022-f3fc52428e

Mailing ListThird Party Advisory

FEDORA-2022-0a96e5b9b1

Mailing ListThird Party Advisory

CvssV3 impact

Could not find any metrics

CvssV2 impact

AccessComplexity

MEDIUM

ConfidentialityImpact

PARTIAL

AvailabilityImpact

PARTIAL

IntegrityImpact

PARTIAL

BaseScore

6

VectorString

AV:N/AC:M/Au:S/C:P/I:P/A:P

Version

2.0

AccessVector

NETWORK

Authentication

SINGLE

Created by Yello
About Severity.io