CVE-2022-31627

EUVD-2022-53079
In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.7 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
phpCNA
7.7 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
Affected Products (NVD)
VendorProductVersion
phpphp
8.1.0 ≤
𝑥
< 8.1.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
php7.4
bullseye
7.4.33-1+deb11u5
fixed
bullseye (security)
7.4.33-1+deb11u6
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
php5
bionic
dne
focal
dne
impish
dne
jammy
dne
kinetic
dne
trusty
not-affected
xenial
dne
php7.0
bionic
dne
focal
dne
impish
dne
jammy
dne
kinetic
dne
trusty
dne
xenial
not-affected
php7.2
bionic
not-affected
focal
dne
impish
dne
jammy
dne
kinetic
dne
trusty
dne
xenial
dne
php7.4
bionic
dne
focal
not-affected
impish
dne
jammy
dne
kinetic
dne
trusty
dne
xenial
dne
php8.0
bionic
dne
focal
dne
impish
not-affected
jammy
dne
kinetic
dne
trusty
dne
xenial
dne
php8.1
bionic
dne
focal
dne
impish
dne
jammy
Fixed 8.1.2-1ubuntu2.2
released
kinetic
Fixed 8.1.5-1ubuntu3
released
trusty
dne
xenial
dne
Common Weakness Enumeration
References
https://bugs.php.net/bug.php?id=81723
https://security.gentoo.org/glsa/202209-20
https://security.netapp.com/advisory/ntap-20220826-0008/
https://bugs.php.net/bug.php?id=81723
https://security.gentoo.org/glsa/202209-20
https://security.netapp.com/advisory/ntap-20220826-0008/