CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
91.2%
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an
integer overflow and resultant buffer overflow that allows attackers to
execute arbitrary code or eliminate expected cryptographic properties. This
occurs in the sponge function interface.
Author | Note |
---|---|
sbeattie | PEAR issues should go against php-pear as of xenial |
rodrigo-zaiden | PHP includes Keccak code for sha3 starting from php7.2 |
leosilva | in PHP it was introduced in 91663a92d1697fc30a7ba4687d73e0f63ec2baa1 php-7.2.0alpha1 |
mdeslaur | Python 3.11 switched to using tiny_sha3, so not affected. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | php7.2 | < 7.2.24-0ubuntu0.18.04.15 | UNKNOWN |
ubuntu | 20.04 | noarch | php7.4 | < 7.4.3-4ubuntu2.15 | UNKNOWN |
ubuntu | 22.04 | noarch | php8.1 | < 8.1.2-1ubuntu2.8 | UNKNOWN |
ubuntu | 22.10 | noarch | php8.1 | < 8.1.7-1ubuntu3.1 | UNKNOWN |
ubuntu | 23.04 | noarch | php8.1 | < 8.1.12-1ubuntu2 | UNKNOWN |
ubuntu | 20.04 | noarch | pypy3 | < 7.3.1+dfsg-4ubuntu0.1 | UNKNOWN |
ubuntu | 22.04 | noarch | pypy3 | < 7.3.9+dfsg-1ubuntu0.1 | UNKNOWN |
ubuntu | 18.04 | noarch | pysha3 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | pysha3 | < 1.0.2-4ubuntu0.1 | UNKNOWN |
ubuntu | 22.04 | noarch | pysha3 | < 1.0.2-4.2ubuntu0.22.04.1 | UNKNOWN |
csrc.nist.gov/projects/hash-functions/sha-3-project
github.com/php/php-src/commit/248f647724e385bfb8d83aa5b5a5ca3c4ee2c7fd
github.com/python/cpython/commit/0e4e058602d93b88256ff90bbef501ba20be9dd3 (3.10-branch)
github.com/python/cpython/commit/8088c90044ba04cd5624b278340ebf934dbee4a5 (3.7-branch)
github.com/python/cpython/commit/857efee6d2d43c5c12fc7e377ce437144c728ab8 (3.9-branch)
github.com/python/cpython/commit/948c6794711458fd148a3fa62296cadeeb2ed631 (3.8-branch)
github.com/python/cpython/issues/98517
github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658
launchpad.net/bugs/cve/CVE-2022-37454
mouha.be/sha-3-buffer-overflow/
news.ycombinator.com/item?id=33281106
nvd.nist.gov/vuln/detail/CVE-2022-37454
security-tracker.debian.org/tracker/CVE-2022-37454
ubuntu.com/security/notices/USN-5717-1
ubuntu.com/security/notices/USN-5767-1
ubuntu.com/security/notices/USN-5767-3
ubuntu.com/security/notices/USN-5888-1
ubuntu.com/security/notices/USN-5930-1
ubuntu.com/security/notices/USN-5931-1
ubuntu.com/security/notices/USN-6524-1
ubuntu.com/security/notices/USN-6525-1
www.cve.org/CVERecord?id=CVE-2022-37454