CVE-2022-31626
CVE-2022-31626 php: password of excessive length triggers buffer overflow leading to RCE
Publication Date | 2022-05-16 |
---|---|
Severity | High |
Type | Remote Code Execution |
Affected PHP Versions |
|
Fixed Product Versions |
|
CVE Details
When using the PDO_MySQL extension with the mysqlnd driver, if a third party is allowed to supply the host and credentials with which to connect, a password of excessive length can trigger a buffer overflow in PHP, leading to a remote code execution vulnerability.
Recommendations
If you use the PDO_MySQL extension with the mysqlnd driver, you should upgrade to a patched version of PHP.
If you cannot, consider adding validation to password that rejects passwords of abnormal length. As an example:
if (strlen($password) > 128) {
throw new RuntimeException('Invalid password');
}