ALT-PU-2022-2098-1

Package update php8.1 in branch c9f2

Version8.1.7-alt1

Published2022-06-21

Max severityCRITICAL

Severity:

Closed issues (4)

HIGH7.5

Уязвимость функции mysqlnd/pdo (mysqlnd_wireprotocol.c) интерпретатора языка программирования PHP, позволяющая нарушителю выполнить произвольный код

Published: 2022-06-24Modified: 2024-11-07

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2022-31626

CRITICAL9.8

Уязвимость функции pg_query_params() интерпретатора языка программирования PHP, позволяющая нарушителю выполнить произвольный код

Published: 2022-08-29Modified: 2024-11-07

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2022-31625

HIGH8.1

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.

Published: 2022-06-16Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

HIGH8.8

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.

Published: 2022-06-16Modified: 2024-11-21

CVSS 2.0MEDIUM 6.0

CVSS:2.0/AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References