ALASPHP8.0-2023-006 --- phpID: oval:org.secpod.oval:def:1701626 | Date: (C)2023-09-19 (M)2024-04-17 |
Class: PATCH | Family: unix |
A vulnerability was found in PHP due to an uninitialized array in pg_query_params function. When using the Postgres database extension, supplying invalid parameters to the parameterized query may lead to PHP attempting to free memory, using uninitialized data as pointers. This flaw allows a remote attacker with the ability to control query parameters to execute arbitrary code on the system or may cause a denial of service. A buffer overflow vulnerability was found in PHP when processing passwords in mysqlnd/pdo in mysqlnd_wireprotocol.c. When using the pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply a password to the host for the connection, a password of excessive length can trigger a buffer overflow in PHP. This flaw allows a remote attacker to pass a password via PDO to the MySQL server, triggering arbitrary code execution on the target system