CVE-2022-31631

Name of the Vulnerable Software and Affected Versions PHP versions 8.0.* through 8.0.26 PHP versions 8.1.* through 8.1.14 PHP versions 8.2.* through 8.2.1

Description The issue occurs due to an uncaught integer overflow in the PDO::quote() function of PDO SQLite, which can return an improperly quoted string when called on user-supplied input without length restrictions. This can lead to SQL injection vulnerabilities, allowing attackers to inject malicious code and potentially gain control. The vulnerability affects multiple versions of PHP and poses a significant risk to websites and applications relying on the PHP Data Objects (PDO) extension for SQLite database interactions.

Recommendations Update to PHP version 8.0.27 or later to fix the PDO/SQLite issue. Update to PHP version 8.1.15 or later to fix the PDO/SQLite issue. Update to PHP version 8.2.2 or later to fix the PDO/SQLite issue. As a temporary workaround, consider restricting the use of the PDO::quote() function until a patch is available. Avoid using the PDO::quote() function with user-supplied input without proper length restrictions in place.