CVE-2022-31629
Summary
| CVE | CVE-2022-31629 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-09-28 23:15:00 UTC |
| Updated | 2023-11-07 03:47:00 UTC |
| Description | In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 11.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Operating System | Fedoraproject | Fedora | 36 | All | All | All |
| Operating System | Fedoraproject | Fedora | 37 | All | All | All |
| Application | Php | Php | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| PHP: Multiple Vulnerabilities (GLSA 202211-03) — Gentoo security | GENTOO | security.gentoo.org | |
| September 2022 PHP Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| [SECURITY] Fedora 36 Update: php-8.1.11-1.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 35 Update: php-8.0.24-1.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 37 Update: php-8.1.12-1.fc37 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| PHP :: You must be logged in | MISC | bugs.php.net | |
| [SECURITY] Fedora 35 Update: php-8.0.24-1.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: php-8.1.11-1.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Debian -- Security Information -- DSA-5277-1 php7.4 | DEBIAN | www.debian.org | |
| [SECURITY] Fedora 37 Update: php-8.1.12-1.fc37 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] [DLA 3243-1] php7.3 security update | MLIST | lists.debian.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: reported by squarcina at gmail dot com
Legacy QID Mappings
- 150578 PHP Multiple Vulnerabilities (CVE-2022-31629,CVE-2022-31628)
- 160478 Oracle Enterprise Linux Security Update for php:8.0 (ELSA-2023-0848)
- 160486 Oracle Enterprise Linux Security Update for Hypertext Preprocessor (PHP) (ELSA-2023-0965)
- 160592 Oracle Enterprise Linux Security Update for 8.1 (ELSA-2023-2417)
- 160672 Oracle Enterprise Linux Security Update for php:7.4 (ELSA-2023-2903)
- 181210 Debian Security Update for php7.4 (DSA 5277-1)
- 181332 Debian Security Update for php7.3 (DLA 3243-1)
- 199021 Ubuntu Security Notification for Hypertext Preprocessor (PHP) Vulnerabilities (USN-5717-1)
- 199545 Ubuntu Security Notification for Hypertext Preprocessor (PHP) Vulnerabilities (USN-5905-1)
- 241205 Red Hat Update for php:8.0 (RHSA-2023:0848)
- 241219 Red Hat Update for Hypertext Preprocessor (PHP) (RHSA-2023:0965)
- 241447 Red Hat Update for php:8.1 (RHSA-2023:2417)
- 241540 Red Hat Update for php:7.4 (RHSA-2023:2903)
- 283177 Fedora Security Update for Hypertext Preprocessor (PHP) (FEDORA-2022-0b77fbd9e7)
- 283190 Fedora Security Update for Hypertext Preprocessor (PHP) (FEDORA-2022-afdea1c747)
- 283450 Fedora Security Update for Hypertext Preprocessor (PHP) (FEDORA-2022-f204e1d0ed)
- 296098 Oracle Solaris 11.4 Support Repository Update (SRU) 52.132.2 Missing (CPUOCT2022)
- 354414 Amazon Linux Security Advisory for php8.1 : ALAS2022-2022-243
- 354548 Amazon Linux Security Advisory for php8.1 : ALAS-2022-243
- 355222 Amazon Linux Security Advisory for php8.1 : ALAS2023-2023-081
- 356075 Amazon Linux Security Advisory for Hypertext Preprocessor (PHP) : ALASPHP8.0-2023-005
- 356081 Amazon Linux Security Advisory for Hypertext Preprocessor (PHP) : ALASPHP8.0-2023-005
- 378747 Alibaba Cloud Linux Security Update for php:7.4 (ALINUX3-SA-2023:0088)
- 38881 Hypertext Preprocessor (PHP) Multiple Security Vulnerabilities (81726, 81727)
- 502516 Alpine Linux Security Update for php7
- 502517 Alpine Linux Security Update for php8
- 502518 Alpine Linux Security Update for php81
- 502567 Alpine Linux Security Update for php7
- 502574 Alpine Linux Security Update for php8
- 503680 Alpine Linux Security Update for php8
- 672601 EulerOS Security Update for Hypertext Preprocessor (PHP) (EulerOS-SA-2023-1332)
- 710684 Gentoo Linux Hypertext Preprocessor (PHP) Multiple Vulnerabilities (GLSA 202211-03)
- 752793 SUSE Enterprise Linux Security Update for php72 (SUSE-SU-2022:3957-1)
- 752863 SUSE Enterprise Linux Security Update for php7 (SUSE-SU-2022:3997-1)
- 752878 SUSE Enterprise Linux Security Update for php7 (SUSE-SU-2022:4067-1)
- 752898 SUSE Enterprise Linux Security Update for php7 (SUSE-SU-2022:4069-1)
- 752901 SUSE Enterprise Linux Security Update for php74 (SUSE-SU-2022:4068-1)
- 753325 SUSE Enterprise Linux Security Update for php8 (SUSE-SU-2022:3661-1)
- 904079 Common Base Linux Mariner (CBL-Mariner) Security Update for Hypertext Preprocessor (PHP) (11070)
- 940930 AlmaLinux Security Update for php:8.0 (ALSA-2023:0848)
- 940947 AlmaLinux Security Update for Hypertext Preprocessor (PHP) (ALSA-2023:0965)
- 941025 AlmaLinux Security Update for php:8.1 (ALSA-2023:2417)
- 941091 AlmaLinux Security Update for php:7.4 (ALSA-2023:2903)
- 960657 Rocky Linux Security Update for php:8.0 (RLSA-2023:0848)
- 960904 Rocky Linux Security Update for Hypertext Preprocessor (PHP) (RLSA-2023:0965)