Vulnerability-Lookup

WID-SEC-W-2022-1567

Vulnerability from csaf_certbund - Published: 2022-09-28 22:00 - Updated: 2025-05-12 22:00

Summary

PHP: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: PHP ist eine Programmiersprache, die zur Implementierung von Web-Applikationen genutzt wird.

Angriff: Ein lokaler Angreifer kann mehrere Schwachstellen in PHP ausnutzen, um einen Denial of Service Angriff durchzuführen und um Sicherheitsmechanismen zu umgehen.

Betroffene Betriebssysteme: - Linux - MacOS X - UNIX - Windows

CVE-2022-31628

CVE-2022-31629

References

URL

Category

	https://wid.cert-bund.de/.well-known/csaf/white/2…	self
	https://wid.cert-bund.de/portal/wid/securityadvis…	self
	https://nvd.nist.gov/vuln/detail/CVE-2022-31628	external
	https://nvd.nist.gov/vuln/detail/CVE-2022-31629	external
	https://lists.suse.com/pipermail/sle-security-upd…	external
	https://lists.suse.com/pipermail/sle-security-upd…	external
	https://ubuntu.com/security/notices/USN-5717-1	external
	https://lists.suse.com/pipermail/sle-security-upd…	external
	https://lists.debian.org/debian-security-announce…	external
	https://lists.suse.com/pipermail/sle-security-upd…	external
	https://lists.suse.com/pipermail/sle-security-upd…	external
	https://lists.suse.com/pipermail/sle-security-upd…	external
	https://lists.suse.com/pipermail/sle-security-upd…	external
	https://security.gentoo.org/glsa/202211-03	external
	https://alas.aws.amazon.com/AL2022/ALAS-2022-243.html	external
	https://security.netapp.com/advisory/ntap-2022120…	external
	https://lists.debian.org/debian-lts-announce/2022…	external
	https://access.redhat.com/errata/RHSA-2023:0848	external
	http://linux.oracle.com/errata/ELSA-2023-0848.html	external
	http://linux.oracle.com/errata/ELSA-2023-0965.html	external
	https://access.redhat.com/errata/RHSA-2023:0965	external
	https://ubuntu.com/security/notices/USN-5905-1	external
	https://access.redhat.com/errata/RHSA-2023:2417	external
	https://access.redhat.com/errata/RHSA-2023:2903	external
	https://alas.aws.amazon.com/AL2/ALASPHP8.0-2023-0…	external
	https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
	https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
	https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
	https://lists.opensuse.org/archives/list/security…	external
	https://lists.opensuse.org/archives/list/security…	external
	https://lists.suse.com/pipermail/sle-security-upd…	external
	https://lists.debian.org/debian-lts-announce/2024…	external
	https://alas.aws.amazon.com/AL2/ALASPHP8.2-2024-0…	external
	https://lists.suse.com/pipermail/sle-security-upd…	external
	https://alas.aws.amazon.com/AL2/ALASPHP8.1-2024-0…	external
	https://access.redhat.com/errata/RHSA-2024:10952	external
	https://access.redhat.com/errata/RHSA-2024:10950	external
	https://access.redhat.com/errata/RHSA-2024:10951	external
	https://linux.oracle.com/errata/ELSA-2024-10952.html	external
	https://errata.build.resf.org/RLSA-2024:10951	external
	https://access.redhat.com/errata/RHSA-2025:7315	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "PHP ist eine Programmiersprache, die zur Implementierung von Web-Applikationen genutzt wird.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann mehrere Schwachstellen in PHP ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren und um Sicherheitsmechanismen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-1567 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1567.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-1567 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1567"
      },
      {
        "category": "external",
        "summary": "National Vulnerability Database vom 2022-09-28",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31628"
      },
      {
        "category": "external",
        "summary": "National Vulnerability Database vom 2022-09-28",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31629"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:3661-1 vom 2022-10-19",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-October/012575.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:3830-1 vom 2022-11-01",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-November/012791.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-5717-1 vom 2022-11-08",
        "url": "https://ubuntu.com/security/notices/USN-5717-1"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:3957-1 vom 2022-11-11",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-November/012902.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5277 vom 2022-11-13",
        "url": "https://lists.debian.org/debian-security-announce/2022/msg00247.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:3997-1 vom 2022-11-15",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-November/012935.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:4067-1 vom 2022-11-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-November/012983.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:4068-1 vom 2022-11-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-November/012984.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:4069-1 vom 2022-11-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-November/012985.html"
      },
      {
        "category": "external",
        "summary": "Gentoo Linux Security Advisory GLSA-202211-03 vom 2022-11-22",
        "url": "https://security.gentoo.org/glsa/202211-03"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2022-243 vom 2022-12-09",
        "url": "https://alas.aws.amazon.com/AL2022/ALAS-2022-243.html"
      },
      {
        "category": "external",
        "summary": "NetApp Security Advisory NTAP-20221209-0001 vom 2022-12-09",
        "url": "https://security.netapp.com/advisory/ntap-20221209-0001/"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-3243 vom 2022-12-15",
        "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:0848 vom 2023-02-21",
        "url": "https://access.redhat.com/errata/RHSA-2023:0848"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2023-0848 vom 2023-02-22",
        "url": "http://linux.oracle.com/errata/ELSA-2023-0848.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2023-0965 vom 2023-02-28",
        "url": "http://linux.oracle.com/errata/ELSA-2023-0965.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:0965 vom 2023-02-28",
        "url": "https://access.redhat.com/errata/RHSA-2023:0965"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-5905-1 vom 2023-03-02",
        "url": "https://ubuntu.com/security/notices/USN-5905-1"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:2417 vom 2023-05-09",
        "url": "https://access.redhat.com/errata/RHSA-2023:2417"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:2903 vom 2023-05-16",
        "url": "https://access.redhat.com/errata/RHSA-2023:2903"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALASPHP8.0-2023-005 vom 2023-09-14",
        "url": "https://alas.aws.amazon.com/AL2/ALASPHP8.0-2023-005.html"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2024-B46619F761 vom 2024-04-10",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-b46619f761"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2024-5E8AE0DEF0 vom 2024-04-10",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-5e8ae0def0"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2024-39D50CC975 vom 2024-04-10",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-39d50cc975"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1444-1 vom 2024-04-26",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/BASFW3ZS5T33OQ6TWU672VCOJR5SSESM/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1446-1 vom 2024-04-26",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/B6D6UI3AE3T6YUE6R3EXQ2NFFKLTJVRH/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1445-1 vom 2024-04-26",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018425.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-3810 vom 2024-05-08",
        "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALASPHP8.2-2024-004 vom 2024-05-30",
        "url": "https://alas.aws.amazon.com/AL2/ALASPHP8.2-2024-004.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2037-1 vom 2024-06-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018728.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALASPHP8.1-2024-005 vom 2024-06-25",
        "url": "https://alas.aws.amazon.com/AL2/ALASPHP8.1-2024-005.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:10952 vom 2024-12-11",
        "url": "https://access.redhat.com/errata/RHSA-2024:10952"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:10950 vom 2024-12-11",
        "url": "https://access.redhat.com/errata/RHSA-2024:10950"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:10951 vom 2024-12-11",
        "url": "https://access.redhat.com/errata/RHSA-2024:10951"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2024-10952 vom 2024-12-13",
        "url": "https://linux.oracle.com/errata/ELSA-2024-10952.html"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2024:10951 vom 2024-12-19",
        "url": "https://errata.build.resf.org/RLSA-2024:10951"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:7315 vom 2025-05-13",
        "url": "https://access.redhat.com/errata/RHSA-2025:7315"
      }
    ],
    "source_lang": "en-US",
    "title": "PHP: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-05-12T22:00:00.000+00:00",
      "generator": {
        "date": "2025-05-13T11:15:59.779+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2022-1567",
      "initial_release_date": "2022-09-28T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2022-09-28T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2022-10-19T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-11-01T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-11-08T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2022-11-13T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von SUSE und Debian aufgenommen"
        },
        {
          "date": "2022-11-15T23:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-11-20T23:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-11-21T23:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Gentoo aufgenommen"
        },
        {
          "date": "2022-12-11T23:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Amazon und NetApp aufgenommen"
        },
        {
          "date": "2022-12-15T23:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2023-02-21T23:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-02-22T23:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2023-02-28T23:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Oracle Linux und Red Hat aufgenommen"
        },
        {
          "date": "2023-03-02T23:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2023-05-09T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-05-16T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-09-13T22:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2024-04-09T22:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates von Fedora aufgenommen"
        },
        {
          "date": "2024-04-25T22:00:00.000+00:00",
          "number": "19",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-05-07T22:00:00.000+00:00",
          "number": "20",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2024-05-30T22:00:00.000+00:00",
          "number": "21",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2024-06-16T22:00:00.000+00:00",
          "number": "22",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-06-24T22:00:00.000+00:00",
          "number": "23",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2024-12-10T23:00:00.000+00:00",
          "number": "24",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-12-12T23:00:00.000+00:00",
          "number": "25",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2024-12-18T23:00:00.000+00:00",
          "number": "26",
          "summary": "Neue Updates von Rocky Enterprise Software Foundation aufgenommen"
        },
        {
          "date": "2025-05-12T22:00:00.000+00:00",
          "number": "27",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "27"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Fedora Linux",
            "product": {
              "name": "Fedora Linux",
              "product_id": "74185",
              "product_identification_helper": {
                "cpe": "cpe:/o:fedoraproject:fedora:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Fedora"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Gentoo Linux",
            "product": {
              "name": "Gentoo Linux",
              "product_id": "T012167",
              "product_identification_helper": {
                "cpe": "cpe:/o:gentoo:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Gentoo"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "NetApp Data ONTAP",
            "product": {
              "name": "NetApp Data ONTAP",
              "product_id": "7654",
              "product_identification_helper": {
                "cpe": "cpe:/a:netapp:data_ontap:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "NetApp"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c7.4.31",
                "product": {
                  "name": "Open Source PHP \u003c7.4.31",
                  "product_id": "T024744"
                }
              },
              {
                "category": "product_version",
                "name": "7.4.31",
                "product": {
                  "name": "Open Source PHP 7.4.31",
                  "product_id": "T024744-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:php:php:7.4.31"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c8.0.24",
                "product": {
                  "name": "Open Source PHP \u003c8.0.24",
                  "product_id": "T024745"
                }
              },
              {
                "category": "product_version",
                "name": "8.0.24",
                "product": {
                  "name": "Open Source PHP 8.0.24",
                  "product_id": "T024745-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:php:php:8.0.24"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c8.1.11",
                "product": {
                  "name": "Open Source PHP \u003c8.1.11",
                  "product_id": "T024746"
                }
              },
              {
                "category": "product_version",
                "name": "8.1.11",
                "product": {
                  "name": "Open Source PHP 8.1.11",
                  "product_id": "T024746-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:php:php:8.1.11"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "PHP"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "RESF Rocky Linux",
            "product": {
              "name": "RESF Rocky Linux",
              "product_id": "T032255",
              "product_identification_helper": {
                "cpe": "cpe:/o:resf:rocky_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "RESF"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-31628",
      "product_status": {
        "known_affected": [
          "67646",
          "7654",
          "T012167",
          "T004914",
          "T032255",
          "74185",
          "2951",
          "T002207",
          "T024744",
          "T000126",
          "T024746",
          "T024745",
          "398363"
        ]
      },
      "release_date": "2022-09-28T22:00:00.000+00:00",
      "title": "CVE-2022-31628"
    },
    {
      "cve": "CVE-2022-31629",
      "product_status": {
        "known_affected": [
          "67646",
          "7654",
          "T012167",
          "T004914",
          "T032255",
          "74185",
          "2951",
          "T002207",
          "T024744",
          "T000126",
          "T024746",
          "T024745",
          "398363"
        ]
      },
      "release_date": "2022-09-28T22:00:00.000+00:00",
      "title": "CVE-2022-31629"
    }
  ]
}

CVE-2022-31628 (GCVE-0-2022-31628)

Vulnerability from cvelistv5 – Published: 2022-09-28 22:25 – Updated: 2025-05-20 20:24

Title

phar wrapper can occur dos when using quine gzip file

Summary

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

Severity ?

2.3 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-674 - Uncontrolled Recursion

Assigner

php

References

URL

CVE-2022-31629 (GCVE-0-2022-31629)

Vulnerability from cvelistv5 – Published: 2022-09-28 22:25 – Updated: 2025-11-04 17:12

Title

$_COOKIE names string replacement (. -> _): cookie integrity vulnerabilities

Summary

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE

CWE-20 - Improper Input Validation

Assigner

php

References

URL

Tags

	https://bugs.php.net/bug.php?id=81727
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://www.debian.org/security/2022/dsa-5277	vendor-advisory
	https://security.gentoo.org/glsa/202211-03	vendor-advisory
	https://security.netapp.com/advisory/ntap-2022120…
	https://lists.debian.org/debian-lts-announce/2022…	mailing-list
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	http://www.openwall.com/lists/oss-security/2024/0…	mailing-list

Impacted products

	Vendor	Product	Version
	PHP Group	PHP	Affected: 7.4.X , < 7.4.31 (custom) Affected: 8.0.X , < 8.0.24 (custom) Affected: 8.1.X , < 8.1.11 (custom)

Date Public ?

2022-09-27 00:00

Credits

reported by squarcina at gmail dot com

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-31629",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-16T18:53:33.259759Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1284",
                "description": "CWE-1284 Improper Validation of Specified Quantity in Input",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-29T15:05:18.365Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T17:12:24.069Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugs.php.net/bug.php?id=81727"
          },
          {
            "name": "FEDORA-2022-0b77fbd9e7",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/"
          },
          {
            "name": "FEDORA-2022-afdea1c747",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/"
          },
          {
            "name": "FEDORA-2022-f204e1d0ed",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/"
          },
          {
            "name": "DSA-5277",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5277"
          },
          {
            "name": "GLSA-202211-03",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202211-03"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20221209-0001/"
          },
          {
            "name": "[debian-lts-announce] 20221215 [SECURITY] [DLA 3243-1] php7.3 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"
          },
          {
            "name": "FEDORA-2024-b46619f761",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/"
          },
          {
            "name": "FEDORA-2024-39d50cc975",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSJVPJTX7T3J5V7XHR4MFNHZGP44R5XE/"
          },
          {
            "name": "FEDORA-2024-5e8ae0def0",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/"
          },
          {
            "name": "[oss-security] 20240412 PHP security releases 8.1.28, 8.2.18, \u0026 8.3.6",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"
          },
          {
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/"
          },
          {
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PHP",
          "vendor": "PHP Group",
          "versions": [
            {
              "lessThan": "7.4.31",
              "status": "affected",
              "version": "7.4.X",
              "versionType": "custom"
            },
            {
              "lessThan": "8.0.24",
              "status": "affected",
              "version": "8.0.X",
              "versionType": "custom"
            },
            {
              "lessThan": "8.1.11",
              "status": "affected",
              "version": "8.1.X",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "reported by squarcina at gmail dot com"
        }
      ],
      "datePublic": "2022-09-27T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim\u0027s browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-01T17:09:26.439Z",
        "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "shortName": "php"
      },
      "references": [
        {
          "url": "https://bugs.php.net/bug.php?id=81727"
        },
        {
          "name": "FEDORA-2022-0b77fbd9e7",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/"
        },
        {
          "name": "FEDORA-2022-afdea1c747",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/"
        },
        {
          "name": "FEDORA-2022-f204e1d0ed",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/"
        },
        {
          "name": "DSA-5277",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5277"
        },
        {
          "name": "GLSA-202211-03",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202211-03"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20221209-0001/"
        },
        {
          "name": "[debian-lts-announce] 20221215 [SECURITY] [DLA 3243-1] php7.3 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"
        },
        {
          "name": "FEDORA-2024-b46619f761",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/"
        },
        {
          "name": "FEDORA-2024-39d50cc975",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSJVPJTX7T3J5V7XHR4MFNHZGP44R5XE/"
        },
        {
          "name": "FEDORA-2024-5e8ae0def0",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/"
        },
        {
          "name": "[oss-security] 20240412 PHP security releases 8.1.28, 8.2.18, \u0026 8.3.6",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to PHP 7.4.31, 8.0.24, or 8.1.11."
        }
      ],
      "source": {
        "advisory": "https://bugs.php.net/bug.php?id=81727",
        "defect": [
          "81727"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "$_COOKIE names string replacement (. -\u003e _): cookie integrity vulnerabilities",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
    "assignerShortName": "php",
    "cveId": "CVE-2022-31629",
    "datePublished": "2022-09-28T22:25:10.116Z",
    "dateReserved": "2022-05-25T00:00:00.000Z",
    "dateUpdated": "2025-11-04T17:12:24.069Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2022-1567

CVE-2022-31628 (GCVE-0-2022-31628)

CVE-2022-31629 (GCVE-0-2022-31629)

Tags

Sightings

Nomenclature