CVE-2022-31631

CRITICAL9.1EPSS 0.60%

PDO::quote() may return unquoted string

Published: 2/12/2025Modified: 4/28/2026

Description

In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.

Affected packages (7)

Bitnami/libphp>= 8.0.0, < 8.0.27, >= 8.1.0, < 8.1.15, >= 8.2.0, < 8.2.2
Bitnami/php>= 8.0.0, < 8.0.27, >= 8.1.0, < 8.1.15, >= 8.2.0, < 8.2.2
Bitnami/php-min>= 8.0.0, < 8.0.27, >= 8.1.0, < 8.1.15, >= 8.2.0, < 8.2.2
Debian/php7.3from 0, < 7.3.31-1~deb10u3
Debian/php7.4from 0, < 7.4.33-1+deb11u3
Debian/php7.4from 0, < 7.4.33-1+deb11u3
Debian/php8.2from 0, < 8.2.1-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References (4)

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-31631
WEBhttps://bugs.php.net/bug.php?id=81740
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-31631
WEBhttps://security.netapp.com/advisory/ntap-20230223-0007/