Vulnerability Details : CVE-2022-31628
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.
Products affected by CVE-2022-31628
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Threat overview for CVE-2022-31628
Top countries where our scanners detected CVE-2022-31628
Top open port discovered on systems with this issue
80
IPs affected by CVE-2022-31628 1,251,481
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2022-31628!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2022-31628
0.01%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31628
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
NIST | |
|
2.3
|
LOW | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L |
0.8
|
1.4
|
PHP Group |
CWE ids for CVE-2022-31628
-
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.Assigned by:
- nvd@nist.gov (Primary)
- security@php.net (Secondary)
-
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-31628
-
https://security.gentoo.org/glsa/202211-03
PHP: Multiple Vulnerabilities (GLSA 202211-03) — Gentoo securityThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html
[SECURITY] [DLA 3243-1] php7.3 security updateMailing List;Third Party Advisory
-
https://bugs.php.net/bug.php?id=81726
PHP :: You must be logged inPermissions Required;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/
[SECURITY] Fedora 35 Update: php-8.0.24-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.debian.org/security/2022/dsa-5277
Debian -- Security Information -- DSA-5277-1 php7.4Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/
[SECURITY] Fedora 36 Update: php-8.1.11-1.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/
[SECURITY] Fedora 37 Update: php-8.1.12-1.fc37 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20221209-0001/
September 2022 PHP Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
Jump to