CVE-2022-31625 php: uninitialized array in pg_query_params() leading to RCE

Publication Date2022-05-16
SeverityHigh
TypeRemote Code Execution
Affected PHP Versions
  • 5.6.0 - 5.6.40
  • 7.1.0 - 7.1.33
  • 7.2.0 - 7.2.34
  • 7.3.0 - 7.3.33
  • 7.4.0 - 7.4.29
  • 8.0.0 - 8.0.19
  • 8.1.0 - 8.1.6
Fixed Product Versions
  • ZendPHP 5.6
  • ZendPHP 7.1
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendServer 2021.2.0

CVE Details

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parameterized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.

Recommendations

Validate any parameters you are passing to a parameterized Postgres query to ensure they are correct for the context.

If using the Postgres database extension, we highly recommend updating to PHP 8.1.7, 8.0.20, 7.4.30, ZendPHP 7.3, ZendPHP 7.2, ZendPHP 7.1, or ZendPHP 5.6, all of which contain a patch for this vulnerability.