PHP up to 8.0.26/8.1.14/8.2.1 SQLite Driver sqlite_driver.c PDO::quote integer overflow

Summaryinfo

A vulnerability classified as critical was found in PHP up to 8.0.26/8.1.14/8.2.1. Affected by this issue is the function PDO::quote of the file ext/pdo_sqlite/sqlite_driver.c of the component SQLite Driver. The manipulation results in integer overflow. This vulnerability is cataloged as CVE-2022-31631. The attack may be launched remotely. Furthermore, there is an exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in PHP up to 8.0.26/8.1.14/8.2.1 (Programming Language Software). It has been classified as critical. Affected is the function PDO::quote of the file ext/pdo_sqlite/sqlite_driver.c of the component SQLite Driver. The manipulation with an unknown input leads to a integer overflow vulnerability. CWE is classifying the issue as CWE-190. The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. The impact remains unknown. CVE summarizes:

In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.

The weakness was shared 09/07/2023 as 81740 as confirmed bug report (Website). The advisory is shared for download at bugs.php.net. This vulnerability is traded as CVE-2022-31631 since 05/25/2022. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details and a public exploit are known.

The exploit is shared for download at bugs.php.net. It is declared as proof-of-concept. As 0-day the estimated underground price was around $5k-$25k. The vulnerability scanner Nessus provides a plugin with the ID 234513 (Amazon Linux 2 : php (ALAS-2025-2832)), which helps to determine the existence of the flaw in a target environment. The code used by the exploit is:

<?php
$pdo = new PDO("sqlite::memory:");
$string = str_repeat("a", 0x80000000);
var_dump($pdo->quote($string));
?>

Upgrading to version 8.0.27, 8.1.15 or 8.2.2 eliminates this vulnerability. The upgrade is hosted for download at php.net. Applying the patch 921b6813da3237a83e908998483f46ae3d8bacba is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (234513) and CERT Bund (WID-SEC-2023-0035). VulDB is the best source for vulnerability data and more expert information about this specific topic.

Affected

• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• Gentoo Linux
• Open Source PHP
• Open Source Alpine Linux
• RESF Rocky Linux

Productinfo

Type

• Programming Language Software

Name

• PHP

Version

• 8.0.0
• 8.0.1
• 8.0.2
• 8.0.3
• 8.0.4
• 8.0.5
• 8.0.6
• 8.0.7
• 8.0.8
• 8.0.9
• 8.0.10
• 8.0.11
• 8.0.12
• 8.0.13
• 8.0.14
• 8.0.15
• 8.0.16
• 8.0.17
• 8.0.18
• 8.0.19
• 8.0.20
• 8.0.21
• 8.0.22
• 8.0.23
• 8.0.24
• 8.0.25
• 8.0.26
• 8.1.0
• 8.1.1
• 8.1.2
• 8.1.3
• 8.1.4
• 8.1.5
• 8.1.6
• 8.1.7
• 8.1.8
• 8.1.9
• 8.1.10
• 8.1.11
• 8.1.12
• 8.1.13
• 8.1.14
• 8.2.0
• 8.2.1

License

• open-source

Website

• Product: https://www.php.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion