CVE-2022-31628

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

CVSS v3 2.3 LOW

2.3^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://bugs.php.net/bug.php?id=81726	Permissions Required Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/
https://security.gentoo.org/glsa/202211-03	Third Party Advisory
https://security.netapp.com/advisory/ntap-20221209-0001/	Third Party Advisory
https://www.debian.org/security/2022/dsa-5277	Third Party Advisory
https://bugs.php.net/bug.php?id=81726	Permissions Required Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/
https://security.gentoo.org/glsa/202211-03	Third Party Advisory
https://security.netapp.com/advisory/ntap-20221209-0001/	Third Party Advisory
https://www.debian.org/security/2022/dsa-5277	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*
	cpe:2.3:o:fedoraproject:fedora:37:::::::*

Configuration 3 (hide)

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

History

21 Nov 2024, 07:04

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~5.5~~	v2 : unknown v3 : 2.3
References	~~() https://bugs.php.net/bug.php?id=81726 - Permissions Required, Third Party Advisory~~	() https://bugs.php.net/bug.php?id=81726 - Permissions Required, Third Party Advisory
References	~~() https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html - Mailing List, Third Party Advisory~~	() https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html - Mailing List, Third Party Advisory
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/ -
References	~~() https://security.gentoo.org/glsa/202211-03 - Third Party Advisory~~	() https://security.gentoo.org/glsa/202211-03 - Third Party Advisory
References	~~() https://security.netapp.com/advisory/ntap-20221209-0001/ - Third Party Advisory~~	() https://security.netapp.com/advisory/ntap-20221209-0001/ - Third Party Advisory
References	~~() https://www.debian.org/security/2022/dsa-5277 - Third Party Advisory~~	() https://www.debian.org/security/2022/dsa-5277 - Third Party Advisory

07 Nov 2023, 03:47

Type	Values Removed	Values Added
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/', 'name': 'FEDORA-2022-afdea1c747', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/', 'name': 'FEDORA-2022-0b77fbd9e7', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/', 'name': 'FEDORA-2022-f204e1d0ed', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/ -

21 Jul 2023, 19:26

Type	Values Removed	Values Added
CWE	~~CWE-674~~	CWE-835

Information

Published : 2022-09-28 23:15

Updated : 2024-11-21 07:04

NVD link : CVE-2022-31628

Mitre link : CVE-2022-31628

CVE.ORG link : CVE-2022-31628

JSON object : View

Products Affected

php

fedoraproject

fedora

debian

debian_linux

CWE

CWE-674

Uncontrolled Recursion

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

2.3 /10