CVE-2022-31625 | Zend by Perforce

CVE-2022-31625 php: uninitialized array in pg_query_params() leading to RCE

Publication Date	2022-05-16
Severity	High
Type	Remote Code Execution
Affected PHP Versions	5.6.0 - 5.6.40 7.1.0 - 7.1.33 7.2.0 - 7.2.34 7.3.0 - 7.3.33 7.4.0 - 7.4.29 8.0.0 - 8.0.19 8.1.0 - 8.1.6
Fixed Product Versions	ZendPHP 5.6 ZendPHP 7.1 ZendPHP 7.2 ZendPHP 7.3 ZendPHP 7.4 ZendPHP 8.0 ZendPHP 8.1 ZendServer 8.5.19 ZendServer 9.1.14 ZendServer 2019.1.1 ZendServer 2021.2.0

CVE Details

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parameterized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.

Recommendations

Validate any parameters you are passing to a parameterized Postgres query to ensure they are correct for the context.

If using the Postgres database extension, we highly recommend updating to PHP 8.1.7, 8.0.20, 7.4.30, ZendPHP 7.3, ZendPHP 7.2, ZendPHP 7.1, or ZendPHP 5.6, all of which contain a patch for this vulnerability.

< View all CVEs