cbcvebase.
CVE-2022-31628
published 2022-09-28

CVE-2022-31628: In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

PriorityP424medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.56%
42.6th percentile
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

Affected

14 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianphp7.4< php7.4 7.4.33-1+deb11u1 (bullseye)php7.4 7.4.33-1+deb11u1 (bullseye)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
msrccbl2_php_on_cbl_mariner_2.0
paloaltopan-os
phpphp< 7.4.317.4.31
phpphp>= 8.0.0 < 8.0.248.0.24
phpphp>= 8.1.0 < 8.1.118.1.11
php_groupphp>= 7.4.X < 7.4.317.4.31
php_groupphp>= 8.0.X < 8.0.248.0.24
php_groupphp>= 8.1.X < 8.1.118.1.11

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM
vendor_debian2.3LOW
vendor_msrc2.3LOW
vendor_redhat2.3LOW
vendor_ubuntu2.3LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.