CVE-2022-31628

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-31628
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-31628.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-31628
Aliases
Downstream
Related
Published
2022-09-28T22:25:09.309Z
Modified
2026-05-28T04:08:03.944322418Z
Severity
  • 2.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
phar wrapper can occur dos when using quine gzip file
Details

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31628.json",
    "cna_assigner": "php",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "7.4.X"
                },
                {
                    "fixed": "7.4.31"
                },
                {
                    "introduced": "8.0.X"
                },
                {
                    "fixed": "8.0.24"
                },
                {
                    "introduced": "8.1.X"
                },
                {
                    "fixed": "8.1.11"
                }
            ],
            "source": "AFFECTED_FIELD"
        },
        {
            "extracted_events": [
                {
                    "fixed": "7.4.31"
                }
            ],
            "source": "DESCRIPTION"
        }
    ],
    "cwe_ids": [
        "CWE-674"
    ]
}
References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type
GIT
Repo
https://github.com/php/php-src
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
3d2745768fac5941a8aded96f53c0035d29bbcab
Introduced
5dc92c2117cafc61daaaaa240fd46c3ac33872a4
Fixed
b3034f5d053744d34eab8783d5fde0a5af95a070
Introduced
381ba9f5d0edd0c9c8ec1dea7e21d513ad08b115
Fixed
b357a4fe713d5a8f096f89d30019e5d322711c64
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.4.31"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.0.24"
        },
        {
            "introduced": "8.1.0"
        },
        {
            "fixed": "8.1.11"
        }
    ],
    "cpe": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE"
}

Affected versions

Other
POST_64BIT_BRANCH_MERGE
POST_AST_MERGE
POST_PHP7_NSAPI_REMOVAL
POST_PHP7_REMOVALS
POST_PHPNG_MERGE
PRE_64BIT_BRANCH_MERGE
PRE_AST_MERGE
PRE_PHP7_EREG_MYSQL_REMOVALS
PRE_PHP7_NSAPI_REMOVAL
PRE_PHP7_REMOVALS

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-31628.json"