CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
61.0%
Package : php7.3
Version : 7.3.31-1~deb10u3
CVE ID : CVE-2022-31631 CVE-2023-0567 CVE-2023-0568 CVE-2023-0662
Debian Bug : 1031368
Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language, which could result in denial of
service or incorrect validation of BCrypt hashes.
CVE-2022-31631
Due to an uncaught integer overflow, `PDO::quote()` of PDO_SQLite
may return an improperly quoted string. The exact details likely
depend on the implementation of `sqlite3_snprintf()`, but with some
versions it is possible to force the function to return a single
apostrophe, if the function is called on user supplied input without
any length restrictions in place.
CVE-2023-0567
Tim Düsterhus discovered that malformed BCrypt hashes that include a
`$` within their salt part trigger a buffer overread and may
erroneously validate any password as valid. (`Password_verify()`
always return `true` with such inputs.)
CVE-2023-0568
1-byte array overrun when appending slash to paths during path
resolution.
CVE-2023-0662
Jakob Ackermann discovered a Denial of Service vulnerability when
parsing multipart request body: the request body parsing in PHP
allows any unauthenticated attacker to consume a large amount of CPU
time and trigger excessive logging.
For Debian 10 buster, these problems have been fixed in version
7.3.31-1~deb10u3.
We recommend that you upgrade your php7.3 packages.
For the detailed security status of php7.3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.3
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 11 | armhf | php7.4-dev | < 7.4.33-1+deb11u3 | php7.4-dev_7.4.33-1+deb11u3_armhf.deb |
Debian | 11 | amd64 | php7.4-opcache-dbgsym | < 7.4.33-1+deb11u3 | php7.4-opcache-dbgsym_7.4.33-1+deb11u3_amd64.deb |
Debian | 11 | i386 | php7.4-zip-dbgsym | < 7.4.33-1+deb11u3 | php7.4-zip-dbgsym_7.4.33-1+deb11u3_i386.deb |
Debian | 11 | amd64 | php7.4-gmp-dbgsym | < 7.4.33-1+deb11u3 | php7.4-gmp-dbgsym_7.4.33-1+deb11u3_amd64.deb |
Debian | 11 | armhf | php7.4-tidy-dbgsym | < 7.4.33-1+deb11u3 | php7.4-tidy-dbgsym_7.4.33-1+deb11u3_armhf.deb |
Debian | 11 | mipsel | php7.4-fpm | < 7.4.33-1+deb11u3 | php7.4-fpm_7.4.33-1+deb11u3_mipsel.deb |
Debian | 11 | armhf | php7.4-xml-dbgsym | < 7.4.33-1+deb11u3 | php7.4-xml-dbgsym_7.4.33-1+deb11u3_armhf.deb |
Debian | 10 | arm64 | php7.3-cgi | < 7.3.31-1~deb10u3 | php7.3-cgi_7.3.31-1~deb10u3_arm64.deb |
Debian | 11 | s390x | php7.4-interbase-dbgsym | < 7.4.33-1+deb11u3 | php7.4-interbase-dbgsym_7.4.33-1+deb11u3_s390x.deb |
Debian | 11 | mips64el | php7.4-gmp-dbgsym | < 7.4.33-1+deb11u3 | php7.4-gmp-dbgsym_7.4.33-1+deb11u3_mips64el.deb |
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
61.0%