CVE-2022-31628 | Zend by Perforce

CVE-2022-31628 php: phar wrapper can produce a denial of service when using quine gzip file

Publication Date	2022-09-29
Severity	Moderate
Type	Remote Code Execution
Affected PHP Versions	5.6.0 - 5.6.40 7.1.0 - 7.1.33 7.2.0 - 7.2.34 7.3.0 - 7.3.33 7.4.0 - 7.4.30 8.0.0 - 8.0.23 8.1.0 - 8.1.10
Fixed Product Versions	ZendPHP 5.6 ZendPHP 7.1 ZendPHP 7.2 ZendPHP 7.3 ZendPHP 7.4 ZendPHP 8.0 ZendPHP 8.1 ZendServer 8.1.20 ZendServer 9.1.15 ZendServer 2019.1.2 ZendServer 2021.3.0

CVE Details

In PHP versions before 7.4.31, 8.0.24, and 8.1.11, the PHAR uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

Recommendations

If you use PHAR files to serve your website, the PHAR files utilize gzip compression, and you are on PHP versions prior to 7.4.31, 8.0.24, or 8.1.11, you should update to a patched version of PHP.

< View all CVEs