CVE-2022-31628

low-risk

Published 2022-09-28

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.3/10 Low

LOCAL / LOW complexity

Affected Products (6)

Php

Fedora

Debian Linux

Affected Vendors

Debian Php Fedoraproject

References (16)

Permissions Required https://bugs.php.net/bug.php?id=81726

Mailing List https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202211-03

Third Party Advisory https://security.netapp.com/advisory/ntap-20221209-0001/

Third Party Advisory https://www.debian.org/security/2022/dsa-5277

Permissions Required https://bugs.php.net/bug.php?id=81726

Mailing List https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202211-03

Third Party Advisory https://security.netapp.com/advisory/ntap-20221209-0001/

Third Party Advisory https://www.debian.org/security/2022/dsa-5277

/ 100

low-risk

Severity 10/34 · Low

Exploitability 0/34 · Minimal

Exposure 13/34 · Low