CVE-2022-31626: 
PHP vulnerability analysis and mitigation

CVE-2022-31626 affects PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7. The vulnerability exists in the pdo_mysql extension with mysqlnd driver, where if a third party is allowed to supply host to connect to and the password for the connection, a password of excessive length can trigger a buffer overflow in PHP (PHP Bug, MITRE).

The vulnerability stems from a buffer overflow condition in the mysqlnd/pdo password handling. When copying the user-submitted password to a buffer for MySQL server authentication, the code allocates auth_data_len bytes but copies auth_data_len + MYSQLND_HEADER_SIZE bytes, leading to a buffer overflow. This occurs during the legacy authentication method that requires sending a raw password instead of using challenge/response logic (PHP Bug). The vulnerability has been assigned a CVSS score of 8.8 (High) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NetApp Advisory).

Successful exploitation of this vulnerability could lead to remote code execution on the affected system. The vulnerability is particularly concerning for applications like Adminer and PHPMyAdmin that handle database connections (PHP Bug).

The vulnerability has been fixed in PHP versions 7.4.30, 8.0.20, and 8.1.7. Users are strongly recommended to upgrade to these versions or later. The fix involves adding the size of the header in the buffer allocation computation (Fedora Update).