CVE-2022-31626

CVE-2022-31626 php: password of excessive length triggers buffer overflow leading to RCE

Publication Date2022-05-16
SeverityHigh
TypeRemote Code Execution
Affected PHP Versions
  • 5.6.0 - 5.6.40
  • 7.1.0 - 7.1.33
  • 7.2.0 - 7.2.34
  • 7.3.0 - 7.3.33
  • 7.4.0 - 7.4.29
  • 8.0.0 - 8.0.19
  • 8.1.0 - 8.1.6
Fixed Product Versions
  • ZendPHP 5.6
  • ZendPHP 7.1
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendServer 8.5.19
  • ZendServer 9.1.14
  • ZendServer 2019.1.1
  • ZendServer 2021.2.0

CVE Details

When using the PDO_MySQL extension with the mysqlnd driver, if a third party is allowed to supply the host and credentials with which to connect, a password of excessive length can trigger a buffer overflow in PHP, leading to a remote code execution vulnerability.

Recommendations

If you use the PDO_MySQL extension with the mysqlnd driver, you should upgrade to a patched version of PHP.

If you cannot, consider adding validation to password that rejects passwords of abnormal length. As an example:

if (strlen($password) > 128) {
    throw new RuntimeException('Invalid password');
}