CVE-2022-31630
OOB read due to insufficient input validation in imageloadfont()
7.1
HIGH
CVSS 3.1
EPSS 0.05%
Description
In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.
How to fix CVE-2022-31630
To remediate CVE-2022-31630, upgrade the affected package to a fixed version below.
- —upgrade to 7.4.33 or later
- —upgrade to 7.4.33 or later
- —upgrade to 7.4.33 or later
- —upgrade to 7.4.33-1+deb11u1 or later
Is CVE-2022-31630 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- >= 7.4.0, < 7.4.33, >= 8.0.0, < 8.0.25, >= 8.1.0, < 8.1.12
- >= 7.4.0, < 7.4.33, >= 8.0.0, < 8.0.25, >= 8.1.0, < 8.1.12
- >= 7.4.0, < 7.4.33, >= 8.0.0, < 8.0.25, >= 8.1.0, < 8.1.12
- from 0, < 7.4.33-1+deb11u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H |