CVE-2022-31631

CVE-2022-31631 php: PDO::quote() may return unquoted string due to an integer overflow

Publication Date2023-01-05
SeverityLow
TypeSQL Injection
Affected PHP Versions
  • 7.0.0 - 7.4.33
  • 8.0.0 - 8.0.26
  • 8.1.0 - 8.1.13
  • 8.2.0
Fixed Product Versions
  • ZendPHP 7.1
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2

CVE Details

When using versions of SQLite greater than 3.39.1, the PDO::quote() functionality can be abused to return an improperly quoted string, which can lead to information disclosure, SQL injection, and other issues. This issue DOES NOT affect 32bit systems.

Recommendations

If you are using pdo_sqlite on a 64bit system, use a version of SQLite earlier than 3.39.2 if possible, or upgrade your PHP version.