CVE-2022-31628

phar wrapper can occur dos when using quine gzip file

Description

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

Remediation

Solution:

Upgrade to PHP 7.4.31, 8.0.24, or 8.1.11.

References

Link	Tags
https://bugs.php.net/bug.php?id=81726	third party advisory permissions required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/	vendor advisory
https://www.debian.org/security/2022/dsa-5277	third party advisory vendor advisory
https://security.gentoo.org/glsa/202211-03	third party advisory vendor advisory
https://security.netapp.com/advisory/ntap-20221209-0001/	third party advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html	third party advisory mailing list

Frequently Asked Questions

What is the severity of CVE-2022-31628?: CVE-2022-31628 has been scored as a low severity vulnerability.
How to fix CVE-2022-31628?: To fix CVE-2022-31628: Upgrade to PHP 7.4.31, 8.0.24, or 8.1.11.
Is CVE-2022-31628 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-31628 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-31628?: CVE-2022-31628 affects PHP Group PHP.

Description

Remediation

Categories

CWE-674 – Uncontrolled Recursion

CWE-835 – Loop with Unreachable Exit Condition ('Infinite Loop')

References

Frequently Asked Questions