CVE-2023-0662

Description

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.

How to fix CVE-2023-0662

To remediate CVE-2023-0662, upgrade the affected package to a fixed version below.

• —upgrade to 8.0.28 or later
• —upgrade to 8.0.28 or later
• —upgrade to 8.0.28 or later
• —upgrade to 7.4.33-1+deb11u3 or later
• —upgrade to 8.2.4-1 or later

Is CVE-2023-0662 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• >= 8.0.0, < 8.0.28, >= 8.1.0, < 8.1.16, >= 8.2.0, < 8.2.3
• >= 8.0.0, < 8.0.28, >= 8.1.0, < 8.1.16, >= 8.2.0, < 8.2.3
• >= 8.0.0, < 8.0.28, >= 8.1.0, < 8.1.16, >= 8.2.0, < 8.2.3
• from 0, < 7.4.33-1+deb11u3
• from 0, < 8.2.4-1

CVSS scores

References (4)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-0662
• WEBgithub.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv
• WEBnvd.nist.gov/vuln/detail/CVE-2023-0662
• WEBsecurity.netapp.com/advisory/ntap-20230517-0001/