Skip to main content

CVE-2022-31628 php: phar wrapper can produce a denial of service when using quine gzip file

Publication Date 2022-09-29
Severity Moderate
Type Remote Code Execution
Affected PHP Versions
  • 5.6.0 - 5.6.40
  • 7.1.0 - 7.1.33
  • 7.2.0 - 7.2.34
  • 7.3.0 - 7.3.33
  • 7.4.0 - 7.4.30
  • 8.0.0 - 8.0.23
  • 8.1.0 - 8.1.10
Fixed Product Versions
  • ZendPHP 5.6
  • ZendPHP 7.1
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendServer 8.1.20
  • ZendServer 9.1.15
  • ZendServer 2019.1.2
  • ZendServer 2021.3.0

CVE Details

In PHP versions before 7.4.31, 8.0.24, and 8.1.11, the PHAR uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

Recommendations

If you use PHAR files to serve your website, the PHAR files utilize gzip compression, and you are on PHP versions prior to 7.4.31, 8.0.24, or 8.1.11, you should update to a patched version of PHP.