CVE-2022-31631
Published: 12 February 2025
Summary
CVE-2022-31631 is a critical-severity Injection (CWE-74) vulnerability in Php Php. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-31631 is a vulnerability in the PHP PDO::quote() function when used with SQLite databases. It affects PHP versions 8.0.* prior to 8.0.27, 8.1.* prior to 8.1.15, and 8.2.* prior to 8.2.2. The issue arises when an overly long user-supplied string is passed to PDO::quote(), causing the SQLite driver to incorrectly quote the data, which can enable SQL injection vulnerabilities. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command).
An attacker can exploit this vulnerability remotely over the network with low complexity, requiring no privileges, user interaction, or special conditions. By supplying an excessively long string to an application that uses PDO::quote() for SQLite, the attacker can bypass proper quoting, leading to SQL injection. Successful exploitation allows high-impact confidentiality and integrity violations, such as unauthorized data access or modification, without affecting availability.
Advisories recommend upgrading to PHP versions 8.0.27, 8.1.15, or 8.2.2, where the quoting issue has been fixed. The primary bug report is documented at bugs.php.net/bug.php?id=81740, and NetApp's advisory (ntap-20230223-0007) addresses the issue in affected products, urging immediate patching.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54225
Vulnerability details
In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead…
more
to SQL injection vulnerabilities.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote SQL injection flaw in PHP PDO::quote() for SQLite enables exploitation of public-facing web applications without authentication.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the known flaw in PHP's PDO::quote() function for SQLite by patching to fixed versions like 8.0.27.
Mandates validation of user-supplied inputs before passing to PDO::quote(), preventing SQL injection even when quoting fails on overly long strings.
Restricts input length and types to block overly long strings that trigger the SQLite driver's incorrect quoting and enable SQL injection.