CVE-2022-31628

Опубликовано: 28 сент. 2022

Источник: nvd

CVSS3: 2.3

CVSS3: 5.5

EPSS Низкий

Описание

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

Ссылки

https://bugs.php.net/bug.php?id=81726
Permissions Required
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/
https://security.gentoo.org/glsa/202211-03
Third Party Advisory
https://security.netapp.com/advisory/ntap-20221209-0001/
Third Party Advisory
https://www.debian.org/security/2022/dsa-5277
Third Party Advisory
https://bugs.php.net/bug.php?id=81726
Permissions Required
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/
https://security.gentoo.org/glsa/202211-03
Third Party Advisory
https://security.netapp.com/advisory/ntap-20221209-0001/
Third Party Advisory
https://www.debian.org/security/2022/dsa-5277
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Версия до 7.4.31 (исключая)

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Версия от 8.0.0 (включая) до 8.0.24 (исключая)

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Версия от 8.1.0 (включая) до 8.1.11 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

EPSS

Процентиль: 8%

0.00031

Низкий

2.3 Low

CVSS3

5.5 Medium

CVSS3

Дефекты

CWE-674

CWE-835

Связанные уязвимости

CVE-2022-31628

CVSS3: 2.3

ubuntu

около 3 лет назад

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

CVE-2022-31628

CVSS3: 4.4

redhat

около 3 лет назад

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

CVE-2022-31628

CVSS3: 2.3

msrc

около 1 месяца назад

phar wrapper can occur dos when using quine gzip file

CVE-2022-31628

CVSS3: 2.3

debian

около 3 лет назад

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompresso ...

GHSA-cj46-35hf-rv96

CVSS3: 5.5

github

около 3 лет назад

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

EPSS

Процентиль: 8%

0.00031

Низкий

2.3 Low

CVSS3

5.5 Medium

CVSS3

Дефекты

CWE-674

CWE-835