CVE-2022-31628 — php7.4 - security update

Description

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

How to fix CVE-2022-31628

To remediate CVE-2022-31628, upgrade the affected package to a fixed version below.

Bitnami/libphp—upgrade to 7.4.31 or later
Bitnami/php—upgrade to 7.4.31 or later
—upgrade to 7.4.31 or later
—upgrade to 7.4.33-1+deb11u1 or later
—upgrade to 7.4.33-1+deb11u1 or later

Is CVE-2022-31628 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

from 0, < 7.4.31, >= 8.0.0, < 8.0.24, >= 8.1.0, < 8.1.11
from 0, < 7.4.31, >= 8.0.0, < 8.0.24, >= 8.1.0, < 8.1.11
from 0, < 7.4.31, >= 8.0.0, < 8.0.24, >= 8.1.0, < 8.1.11
from 0, < 7.4.33-1+deb11u1
from 0, < 7.4.33-1+deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (10)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-31628
WEBbugs.php.net/bug.php?id=81726
WEBlists.debian.org/debian-lts-announce/2022/12/msg00030.html
WEBlists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/