CVE-2022-31631
Published: 12 February 2025
Description
In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.
Security Summary
CVE-2022-31631 is a vulnerability in the PHP PDO::quote() function when used with SQLite databases. It affects PHP versions 8.0.* prior to 8.0.27, 8.1.* prior to 8.1.15, and 8.2.* prior to 8.2.2. The issue arises when an overly long user-supplied string is passed to PDO::quote(), causing the SQLite driver to incorrectly quote the data, which can enable SQL injection vulnerabilities. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command).
An attacker can exploit this vulnerability remotely over the network with low complexity, requiring no privileges, user interaction, or special conditions. By supplying an excessively long string to an application that uses PDO::quote() for SQLite, the attacker can bypass proper quoting, leading to SQL injection. Successful exploitation allows high-impact confidentiality and integrity violations, such as unauthorized data access or modification, without affecting availability.
Advisories recommend upgrading to PHP versions 8.0.27, 8.1.15, or 8.2.2, where the quoting issue has been fixed. The primary bug report is documented at bugs.php.net/bug.php?id=81740, and NetApp's advisory (ntap-20230223-0007) addresses the issue in affected products, urging immediate patching.
Details
- CWE(s)