CVE-2022-31628
CVE-2022-31628 php: phar wrapper can produce a denial of service when using quine gzip file
Publication Date | 2022-09-29 |
---|---|
Severity | Moderate |
Type | Remote Code Execution |
Affected PHP Versions |
|
Fixed Product Versions |
|
CVE Details
In PHP versions before 7.4.31, 8.0.24, and 8.1.11, the PHAR uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.
Recommendations
If you use PHAR files to serve your website, the PHAR files utilize gzip compression, and you are on PHP versions prior to 7.4.31, 8.0.24, or 8.1.11, you should update to a patched version of PHP.