PhpCVELIST:CVE-2022-31628CVE-2022-31628 phar wrapper can occur dos when using quine gzip file
2.3 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
7.9 High
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
18.1%
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress “quines” gzip files, resulting in an infinite loop.
CNA Affected
[
{
"vendor": "PHP Group",
"product": "PHP",
"versions": [
{
"version": "7.4.X",
"status": "affected",
"lessThan": "7.4.31",
"versionType": "custom"
},
{
"version": "8.0.X",
"status": "affected",
"lessThan": "8.0.24",
"versionType": "custom"
},
{
"version": "8.1.X",
"status": "affected",
"lessThan": "8.1.11",
"versionType": "custom"
}
]
}
]References
bugs.php.net/bug.php?id=81726
lists.debian.org/debian-lts-announce/2022/12/msg00030.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/
security.gentoo.org/glsa/202211-03
security.netapp.com/advisory/ntap-20221209-0001/
www.debian.org/security/2022/dsa-5277
Related
2.3 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
7.9 High
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
18.1%