{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-31629", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "assignerShortName": "php", "dateUpdated": "2024-10-29T15:05:18.365Z", "dateReserved": "2022-05-25T00:00:00", "datePublished": "2022-09-28T22:25:10.116784Z"}, "containers": {"cna": {"title": "$_COOKIE names string replacement (. -> _): cookie integrity vulnerabilities", "datePublic": "2022-09-27T00:00:00", "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-05-01T17:09:26.439685"}, "descriptions": [{"lang": "en", "value": "In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications."}], "affected": [{"vendor": "PHP Group", "product": "PHP", "versions": [{"version": "7.4.X", "status": "affected", "lessThan": "7.4.31", "versionType": "custom"}, {"version": "8.0.X", "status": "affected", "lessThan": "8.0.24", "versionType": "custom"}, {"version": "8.1.X", "status": "affected", "lessThan": "8.1.11", "versionType": "custom"}]}], "references": [{"url": "https://bugs.php.net/bug.php?id=81727"}, {"name": "FEDORA-2022-0b77fbd9e7", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/"}, {"name": "FEDORA-2022-afdea1c747", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/"}, {"name": "FEDORA-2022-f204e1d0ed", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/"}, {"name": "DSA-5277", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5277"}, {"name": "GLSA-202211-03", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202211-03"}, {"url": "https://security.netapp.com/advisory/ntap-20221209-0001/"}, {"name": "[debian-lts-announce] 20221215 [SECURITY] [DLA 3243-1] php7.3 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"}, {"name": "FEDORA-2024-b46619f761", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/"}, {"name": "FEDORA-2024-39d50cc975", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSJVPJTX7T3J5V7XHR4MFNHZGP44R5XE/"}, {"name": "FEDORA-2024-5e8ae0def0", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/"}, {"name": "[oss-security] 20240412 PHP security releases 8.1.28, 8.2.18, & 8.3.6", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}], "credits": [{"lang": "en", "value": "reported by squarcina at gmail dot com"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-20 Improper Input Validation", "cweId": "CWE-20"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "https://bugs.php.net/bug.php?id=81727", "defect": ["81727"], "discovery": "EXTERNAL"}, "solutions": [{"lang": "en", "value": "Upgrade to PHP 7.4.31, 8.0.24, or 8.1.11."}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1284", "lang": "en", "description": "CWE-1284 Improper Validation of Specified Quantity in Input"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-16T18:53:33.259759Z", "id": "CVE-2022-31629", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-29T15:05:18.365Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:26:00.718Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugs.php.net/bug.php?id=81727", "tags": ["x_transferred"]}, {"name": "FEDORA-2022-0b77fbd9e7", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/"}, {"name": "FEDORA-2022-afdea1c747", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/"}, {"name": "FEDORA-2022-f204e1d0ed", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/"}, {"name": "DSA-5277", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5277"}, {"name": "GLSA-202211-03", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202211-03"}, {"url": "https://security.netapp.com/advisory/ntap-20221209-0001/", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20221215 [SECURITY] [DLA 3243-1] php7.3 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"}, {"name": "FEDORA-2024-b46619f761", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/"}, {"name": "FEDORA-2024-39d50cc975", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSJVPJTX7T3J5V7XHR4MFNHZGP44R5XE/"}, {"name": "FEDORA-2024-5e8ae0def0", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/"}, {"name": "[oss-security] 20240412 PHP security releases 8.1.28, 8.2.18, & 8.3.6", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bugs.php.net/bug.php?id=81727", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/", "name": "FEDORA-2022-0b77fbd9e7", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/", "name": "FEDORA-2022-afdea1c747", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/", "name": "FEDORA-2022-f204e1d0ed", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://www.debian.org/security/2022/dsa-5277", "name": "DSA-5277", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202211-03", "name": "GLSA-202211-03", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20221209-0001/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html", "name": "[debian-lts-announce] 20221215 [SECURITY] [DLA 3243-1] php7.3 security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/", "name": "FEDORA-2024-b46619f761", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSJVPJTX7T3J5V7XHR4MFNHZGP44R5XE/", "name": "FEDORA-2024-39d50cc975", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/", "name": "FEDORA-2024-5e8ae0def0", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11", "name": "[oss-security] 20240412 PHP security releases 8.1.28, 8.2.18, & 8.3.6", "tags": ["mailing-list", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:26:00.718Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-31629", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-16T18:53:33.259759Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1284", "description": "CWE-1284 Improper Validation of Specified Quantity in Input"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-16T18:53:36.503Z"}}], "cna": {"title": "$_COOKIE names string replacement (. -> _): cookie integrity vulnerabilities", "source": {"defect": ["81727"], "advisory": "https://bugs.php.net/bug.php?id=81727", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "reported by squarcina at gmail dot com"}], "affected": [{"vendor": "PHP Group", "product": "PHP", "versions": [{"status": "affected", "version": "7.4.X", "lessThan": "7.4.31", "versionType": "custom"}, {"status": "affected", "version": "8.0.X", "lessThan": "8.0.24", "versionType": "custom"}, {"status": "affected", "version": "8.1.X", "lessThan": "8.1.11", "versionType": "custom"}]}], "solutions": [{"lang": "en", "value": "Upgrade to PHP 7.4.31, 8.0.24, or 8.1.11."}], "datePublic": "2022-09-27T00:00:00", "references": [{"url": "https://bugs.php.net/bug.php?id=81727"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/", "name": "FEDORA-2022-0b77fbd9e7", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/", "name": "FEDORA-2022-afdea1c747", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/", "name": "FEDORA-2022-f204e1d0ed", "tags": ["vendor-advisory"]}, {"url": "https://www.debian.org/security/2022/dsa-5277", "name": "DSA-5277", "tags": ["vendor-advisory"]}, {"url": "https://security.gentoo.org/glsa/202211-03", "name": "GLSA-202211-03", "tags": ["vendor-advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20221209-0001/"}, {"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html", "name": "[debian-lts-announce] 20221215 [SECURITY] [DLA 3243-1] php7.3 security update", "tags": ["mailing-list"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/", "name": "FEDORA-2024-b46619f761", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSJVPJTX7T3J5V7XHR4MFNHZGP44R5XE/", "name": "FEDORA-2024-39d50cc975", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/", "name": "FEDORA-2024-5e8ae0def0", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11", "name": "[oss-security] 20240412 PHP security releases 8.1.28, 8.2.18, & 8.3.6", "tags": ["mailing-list"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-05-01T17:09:26.439685"}}}, "cveMetadata": {"cveId": "CVE-2022-31629", "state": "PUBLISHED", "dateUpdated": "2024-10-29T15:05:18.365Z", "dateReserved": "2022-05-25T00:00:00", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "datePublished": "2022-09-28T22:25:10.116784Z", "assignerShortName": "php"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE52893E-2C1E-4E15-87AA-F61CD2F49783", "versionEndExcluding": "7.4.31", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9E90EE8-1091-4D52-A070-E378CCE5A344", "versionEndExcluding": "8.0.24", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A9D0A59-77E8-4003-90BF-6E062540B8AD", "versionEndExcluding": "8.1.11", "versionStartIncluding": "8.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications."}, {"lang": "es", "value": "En PHP versiones anteriores a 7.4.31, 8.0.24 y 8.1.11, la vulnerabilidad permite a atacantes de la red y del mismo sitio establecer una cookie no segura est\u00e1ndar en el navegador de la v\u00edctima que es tratada como una cookie \"__Host-\" o \"__Secure-\" por las aplicaciones PHP"}], "id": "CVE-2022-31629", "lastModified": "2024-11-21T07:04:53.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-09-28T23:15:10.540", "references": [{"source": "security@php.net", "url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"source": "security@php.net", "tags": ["Exploit", "Permissions Required", "Vendor Advisory"], "url": "https://bugs.php.net/bug.php?id=81727"}, {"source": "security@php.net", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"}, {"source": "security@php.net", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/"}, {"source": "security@php.net", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/"}, {"source": "security@php.net", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSJVPJTX7T3J5V7XHR4MFNHZGP44R5XE/"}, {"source": "security@php.net", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/"}, {"source": "security@php.net", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/"}, {"source": "security@php.net", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202211-03"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221209-0001/"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5277"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Permissions Required", "Vendor Advisory"], "url": "https://bugs.php.net/bug.php?id=81727"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSJVPJTX7T3J5V7XHR4MFNHZGP44R5XE/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202211-03"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221209-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5277"}], "sourceIdentifier": "security@php.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@php.net", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:0848", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "php:8.0-8070020230118114629.ef331662", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-02-21T00:00:00Z"}, {"advisory": "RHSA-2023:2903", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "php:7.4-8080020230118140634.cc342424", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-05-16T00:00:00Z"}, {"advisory": "RHSA-2023:0965", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "php-0:8.0.27-1.el9_1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-02-28T00:00:00Z"}, {"advisory": "RHSA-2023:2417", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "php:8.1-9020020230120141750.9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}], "bugzilla": {"description": "php: standard insecure cookie could be treated as a '__Host-' or '__Secure-' cookie by PHP applications", "id": "2133687", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2133687"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-20", "details": ["In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.", "A vulnerability was found in PHP due to the way PHP handles HTTP variable names. It interferes with HTTP variable names that clash with ones that have a specific semantic meaning. This vulnerability allows network and same-site attackers to set a standard insecure cookie in the victim's browser, which is treated as a `__Host-` or `__Secure-` cookie by PHP applications, posing a threat to data integrity."], "name": "CVE-2022-31629", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-php73-php", "product_name": "Red Hat Software Collections"}], "public_date": "2022-09-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-31629\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-31629\nhttps://bugs.php.net/bug.php?id=81727"], "threat_severity": "Moderate", "upstream_fix": "php 7.4.31, php 8.0.25"}