CVE-2022-31628
published 2022-09-28CVE-2022-31628: In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.
PriorityP424medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.56%
42.6th percentile
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | php7.4 | < php7.4 7.4.33-1+deb11u1 (bullseye) | php7.4 7.4.33-1+deb11u1 (bullseye) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | cbl2_php_on_cbl_mariner_2.0 | — | — |
| paloalto | pan-os | — | — |
| php | php | < 7.4.31 | 7.4.31 |
| php | php | >= 8.0.0 < 8.0.24 | 8.0.24 |
| php | php | >= 8.1.0 < 8.1.11 | 8.1.11 |
| php_group | php | >= 7.4.X < 7.4.31 | 7.4.31 |
| php_group | php | >= 8.0.X < 8.0.24 | 8.0.24 |
| php_group | php | >= 8.1.X < 8.1.11 | 8.1.11 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM
vendor_debian2.3LOW
vendor_msrc2.3LOW
vendor_redhat2.3LOW
vendor_ubuntu2.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
php7.0 vulnerabilities
osv·2023-03-02·CVSS 5.5
CVE-2022-31628 [MEDIUM] php7.0 vulnerabilities
php7.0 vulnerabilities
It was discovered that PHP incorrectly handled certain gzip files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2022-31628)
It was discovered that PHP incorrectly handled certain cookies.
An attacker could possibly use this issue to compromise data integrity.
(CVE-2022-31629)
It was discovered that PHP incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a crash or
execute arbitrary code. (CVE-2022-31631)
It was discovered that PHP incorrectly handled resolving long paths. A
remote attacker could possibly use this issue to obtain or modify sensitive
information. (CVE-2023-0568)
It was discovered that PHP incorrectly handled a large number of field and file
parts in HTTP form uploads. A remote atta
OSV
php7.2, php7.4, php8.1 vulnerabilities
osv·2022-11-08·CVSS 5.5
CVE-2022-31628 [MEDIUM] php7.2, php7.4, php8.1 vulnerabilities
php7.2, php7.4, php8.1 vulnerabilities
It was discovered that PHP incorrectly handled certain gzip files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2022-31628)
It was discovered that PHP incorrectly handled certain cookies.
An attacker could possibly use this issue to compromise the data
(CVE-2022-31629)
It was discovered that PHP incorrectly handled certain image fonts.
An attacker could possibly use this issue to expose sensitive information.
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.10, and Ubuntu 22.04 LTS.
(CVE-2022-31630)
Nicky Mouha discovered that PHP incorrectly handled certain SHA-3 operations.
An attacker could possibly use this issue to cause a crash
or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS,
Ubuntu 22
GHSA
GHSA-cj46-35hf-rv96: In PHP versions before 7
ghsa_unreviewed·2022-09-29
CVE-2022-31628 [MEDIUM] CWE-674 GHSA-cj46-35hf-rv96: In PHP versions before 7
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.
OSV
CVE-2022-31628: In PHP versions before 7
osv·2022-09-28·CVSS 5.5
CVE-2022-31628 [MEDIUM] CVE-2022-31628: In PHP versions before 7
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.
CISA ICS
Festo Didactic SE MES PC
cisa_ics·2026-01-27·CVSS 7.5
[HIGH] Festo Didactic SE MES PC
ICS Advisory
##
Festo Didactic SE MES PC
Release DateJanuary 27, 2026
Alert CodeICSA-26-027-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
MES PCs shipped with Windows 10 come pre-installed with XAMPP. XAMPP is a bundle of third-party open-source applications including the Apache HTTP Server, the MariaDB database and more. From time to time, vulnerabilities in these applications are discovered. These are fixed in newer versions of XAMPP by updating the bundled applications. MES PCs shipped with Windows 10 include a copy of XAMPP which contains around 140 such vulnerabilities listed in this advisory. They can be fixed by replacing XAMPP with Festo Didactic's Factory Control Panel application.
The
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-02-14·CVSS 9.8
CVE-2017-18342 [CRITICAL] PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-18342, CVE-2017-8923, CVE-2017-9120, CVE-2019-1551, CVE-2019-16865, CVE-2019-16905, CVE-2019-19523, CVE-2019-19528, CVE-2019-19911, CVE-2020-0404, CVE-2020-0431, CVE-2020-0466, CVE-2020-10379, CVE-2020-11538, CVE-2020-11608, CVE-2020-12114, CVE-2020-12321, CVE-2020-12362, CVE-2020-12363, CVE-2020-12364, CVE-2020-13757, CVE-2020-14314, CVE-2020-14351, CVE-2020-15778, CVE-2020-1967, CVE-2020-24394, CVE-2020-24504, CVE-2020-25211, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25717, CVE-2020-26541, CVE-2020-2715
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2023-03-02·CVSS 2.3
CVE-2023-0568 [LOW] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that PHP incorrectly handled certain gzip files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2022-31628)
It was discovered that PHP incorrectly handled certain cookies.
An attacker could possibly use this issue to compromise data integrity.
(CVE-2022-31629)
It was discovered that PHP incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a crash or
execute arbitrary code. (CVE-2022-31631)
It was discovered that PHP incorrectly handled resolving long paths. A
remote attacker could possibly use this issue to obtain or modify sensitive
information. (CVE-2023-0568)
It was discovered that PHP incorrectly handled a large number of
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2022-11-08·CVSS 2.3
CVE-2022-31630 [LOW] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that PHP incorrectly handled certain gzip files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2022-31628)
It was discovered that PHP incorrectly handled certain cookies.
An attacker could possibly use this issue to compromise the data
(CVE-2022-31629)
It was discovered that PHP incorrectly handled certain image fonts.
An attacker could possibly use this issue to expose sensitive information.
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.10, and Ubuntu 22.04 LTS.
(CVE-2022-31630)
Nicky Mouha discovered that PHP incorrectly handled certain SHA-3 operations.
An attacker could possibly use this issue to cause a crash
or execute arbitrary code. This issue
Red Hat
php: phar: infinite loop when decompressing quine gzip file
vendor_redhat·2022-09-29·CVSS 2.3
CVE-2022-31628 [LOW] CWE-674 php: phar: infinite loop when decompressing quine gzip file
php: phar: infinite loop when decompressing quine gzip file
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.
A vulnerability was found in PHP due to an infinite loop within the phar uncompressor code when processing "quines" gzip files. This vulnerability allows a remote attacker to pass a specially crafted archive to the application, and consume all available system resources, causing a denial of service condition.
Package: php (Red Hat Enterprise Linux 6) - Out of support scope
Package: php (Red Hat Enterprise Linux 7) - Out of support scope
Package: rh-php73-php (Red Hat Software Collections) - Fix deferred
Microsoft
phar wrapper can occur dos when using quine gzip file
vendor_msrc·2022-09-13·CVSS 2.3
CVE-2022-31628 [LOW] CWE-674 phar wrapper can occur dos when using quine gzip file
phar wrapper can occur dos when using quine gzip file
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
php: php
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.micro
Debian
CVE-2022-31628: php7.4 - In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code wou...
vendor_debian·2022·CVSS 2.3
CVE-2022-31628 [LOW] CVE-2022-31628: php7.4 - In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code wou...
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.
Scope: local
bullseye: resolved (fixed in 7.4.33-1+deb11u1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugs.php.net/bug.php?id=81726https://lists.debian.org/debian-lts-announce/2022/12/msg00030.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/https://security.gentoo.org/glsa/202211-03https://security.netapp.com/advisory/ntap-20221209-0001/https://www.debian.org/security/2022/dsa-5277https://bugs.php.net/bug.php?id=81726https://lists.debian.org/debian-lts-announce/2022/12/msg00030.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/https://security.gentoo.org/glsa/202211-03https://security.netapp.com/advisory/ntap-20221209-0001/https://www.debian.org/security/2022/dsa-5277
2022-09-28
Published