CVE-2022-31625

Name
CVE-2022-31625
Description
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://bugs.php.net/bug.php?id=81720
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3T4MMEEZYYAEHPQMZDFN44PHORJWJFZQ/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZTZQKRGEYJT5UB4FGG3MOE72SQUHSL4/
Third Party Advisory https://www.debian.org/security/2022/dsa-5179
Third Party Advisory https://security.netapp.com/advisory/ntap-20220722-0005/
Third Party Advisory https://security.gentoo.org/glsa/202209-20
Mailing List https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZTZQKRGEYJT5UB4FGG3MOE72SQUHSL4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3T4MMEEZYYAEHPQMZDFN44PHORJWJFZQ/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* php >= 8.1.0 < 8.1.7
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* php >= 8.0.0 < 8.0.20
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* php >= 7.4.0 < 7.4.30

Vulnerable and fixed packages

Source package Branch Version Maintainer Status