Lucene search

K
cvelistPhpCVELIST:CVE-2022-31628
HistorySep 27, 2022 - 12:00 a.m.

CVE-2022-31628 phar wrapper can occur dos when using quine gzip file

2022-09-2700:00:00
CWE-674
php
www.cve.org

2.3 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

7.9 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.1%

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress “quines” gzip files, resulting in an infinite loop.

CNA Affected

[
  {
    "vendor": "PHP Group",
    "product": "PHP",
    "versions": [
      {
        "version": "7.4.X",
        "status": "affected",
        "lessThan": "7.4.31",
        "versionType": "custom"
      },
      {
        "version": "8.0.X",
        "status": "affected",
        "lessThan": "8.0.24",
        "versionType": "custom"
      },
      {
        "version": "8.1.X",
        "status": "affected",
        "lessThan": "8.1.11",
        "versionType": "custom"
      }
    ]
  }
]

2.3 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

7.9 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.1%