CVE-2022-31629

Опубликовано: 29 сент. 2022

Источник: redhat

CVSS3: 6.5

EPSS Средний

Описание

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.

A vulnerability was found in PHP due to the way PHP handles HTTP variable names. It interferes with HTTP variable names that clash with ones that have a specific semantic meaning. This vulnerability allows network and same-site attackers to set a standard insecure cookie in the victim's browser, which is treated as a __Host- or __Secure- cookie by PHP applications, posing a threat to data integrity.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 6	php	Out of support scope
Red Hat Enterprise Linux 7	php	Out of support scope
Red Hat Software Collections	rh-php73-php	Will not fix
Red Hat Enterprise Linux 8	php	Fixed	RHSA-2023:0848	21.02.2023
Red Hat Enterprise Linux 8	php	Fixed	RHSA-2023:2903	16.05.2023
Red Hat Enterprise Linux 9	php	Fixed	RHSA-2023:0965	28.02.2023
Red Hat Enterprise Linux 9	php	Fixed	RHSA-2023:2417	09.05.2023

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-20

https://bugzilla.redhat.com/show_bug.cgi?id=2133687php: standard insecure cookie could be treated as a '__Host-' or '__Secure-' cookie by PHP applications

EPSS

Процентиль: 96%

0.24317

Средний

6.5 Medium

CVSS3

Связанные уязвимости

CVE-2022-31629

CVSS3: 6.5

ubuntu

почти 3 года назад

CVE-2022-31629

CVSS3: 6.5

nvd

почти 3 года назад

CVE-2022-31629

CVSS3: 6.5

debian

почти 3 года назад

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability en ...

ROS-20240730-07

CVSS3: 6.5

redos

около 1 года назад

Уязвимость php

GHSA-c43m-486j-j32p

CVSS3: 6.5

github

почти 3 года назад

EPSS

Процентиль: 96%

0.24317

Средний

6.5 Medium

CVSS3