Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2022-31631

9.1 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 1 year, 2 months ago

PDO::quote() may return unquoted string

In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.

References

Affected products

pdo_sqlite

<8.1.15
<8.2.2
<8.0.27

Matching in nixpkgs

pkgs.php81Extensions.pdo_sqlite

PHP upstream extension: pdo_sqlite

nixos-unstable 8.1.31
- nixpkgs-unstable 8.1.31
- nixos-unstable-small 8.1.31

pkgs.php82Extensions.pdo_sqlite

PHP upstream extension: pdo_sqlite

nixos-unstable 8.2.26
- nixpkgs-unstable 8.2.26
- nixos-unstable-small 8.2.26

pkgs.php83Extensions.pdo_sqlite

PHP upstream extension: pdo_sqlite

nixos-unstable 8.3.14
- nixpkgs-unstable 8.3.14
- nixos-unstable-small 8.3.14

pkgs.php84Extensions.pdo_sqlite

PHP upstream extension: pdo_sqlite

nixos-unstable 8.4.1
- nixpkgs-unstable 8.4.1
- nixos-unstable-small 8.4.1

Package maintainers

@aanderse Aaron Andersen <aaron@fosslib.net>
@Ma27 Maximilian Bosch <maximilian@mbosch.me>
@drupol Pol Dellaiera <pol.dellaiera@protonmail.com>
@talyz Kim Lindberger <kim.lindberger@gmail.com>
@piotrkwiecinski Piotr Kwiecinski <piokwiecinski+nixpkgs@gmail.com>