Vulnerability Details : CVE-2022-24953
The Crypt_GPG extension before 1.6.7 for PHP does not prevent additional options in GPG calls, which presents a risk for certain environments and GPG versions.
Vulnerability category: Input validation
Products affected by CVE-2022-24953
- cpe:2.3:a:pear:crypt_gpg:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-24953
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 32 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-24953
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2022-24953
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-24953
-
https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04
Insert the end-of-options marker before operation arguments. · pear/Crypt_GPG@74c8f98 · GitHubPatch;Third Party Advisory
-
https://github.com/pear/Crypt_GPG/commit/29c0fbe96d0d4063ecd5c9a4644cb65a7fb7cc4e
Prepare 1.6.7 release · pear/Crypt_GPG@29c0fbe · GitHubPatch;Third Party Advisory
Jump to