CVE-2022-37454Integer Overflow or Wraparound in PHP

CWE-190Integer Overflow or WraparoundCWE-680Integer Overflow to Buffer Overflow26 documents11 sources
Severity
9.8CRITICALNVD
OSV7.6OSV5.5
EPSS
1.4%
top 19.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
19
PHPPythonSha3 Project Sha3+16 more
Timeline
PublishedOct 21
Latest updateFeb 27

Description

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages18 packages

NVDphp/php7.2.07.4.33+2
debiandebian/pypy3< php7.4 7.4.33-1+deb11u1 (bullseye)
NVDpython/python3.6.03.7.16+3
debiandebian/php7.4< php7.4 7.4.33-1+deb11u1 (bullseye)
debiandebian/pysha3< php7.4 7.4.33-1+deb11u1 (bullseye)

Also affects: Debian Linux 10.0, 11.0, Fedora 35, 36

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

9
OSV
Buffer overflow in sponge queue functions2023-04-26
GHSA
Buffer overflow in sponge queue functions2023-04-26
OSV
python3.8 vulnerability2023-03-07
OSV
python3.7 vulnerability2023-03-07
OSV
python3.6 vulnerability2023-03-06

📋Vendor Advisories

14
Palo Alto
PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS2024-04-10
CISA ICS
Siemens SCALANCE XCM-/XRM-3002024-02-15
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS2024-02-14
Ubuntu
PyPy vulnerability2023-11-29
Ubuntu
pysha3 vulnerability2023-11-29

📄Research Papers

2
arXiv
Unveiling Security Weaknesses in Autonomous Driving Systems: An In-Depth Empirical Study2025-02-27
arXiv
Free Proxies Unmasked: A Vulnerability and Longitudinal Analysis of Free Proxy Services2024-03-04
CVE-2022-37454 — Integer Overflow or Wraparound in PHP | cvebase