CVE-2022-31629

high-risk

Published 2022-09-28

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.

Do I need to act?

15.4% chance of exploitation in next 30 days

EPSS score — higher than 85% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (6)

Php

Fedora

Debian Linux

Affected Vendors

Debian Php Fedoraproject

References (26)

http://www.openwall.com/lists/oss-security/2024/04/12/11

Exploit https://bugs.php.net/bug.php?id=81727

Mailing List https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202211-03

Third Party Advisory https://security.netapp.com/advisory/ntap-20221209-0001/

Third Party Advisory https://www.debian.org/security/2022/dsa-5277

http://www.openwall.com/lists/oss-security/2024/04/12/11

Exploit https://bugs.php.net/bug.php?id=81727

Mailing List https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

and 6 more references

/ 100

high-risk

Severity 24/34 · High

Exploitability 13/34 · Low

Exposure 13/34 · Low