CVE-2022-31630

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-31630

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31630.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-31630

Aliases

BIT-php-2022-31630

Related

Published

2022-11-14T07:15:09Z

Modified

2024-09-18T03:23:03.522737Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVSS Calculator

Summary

[none]

Details

In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.

References

Affected packages

Debian:11 / php7.4

Package

Name: php7.4
Purl: pkg:deb/debian/php7.4?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.4.33-1+deb11u1

Affected versions

7.*

7.4.21-1+deb11u1

7.4.25-1+deb11u1

7.4.26-1

7.4.28-1+deb11u1

7.4.30-1+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/php/php-src

Affected ranges

Type: GIT
Repo: https://github.com/php/php-src
Events: Introduced

3c7824e16ec4c3cee417262445d2c2b66531c10f

Fixed

dca8d5565b947270a29f232bc54efd9df3b92b94