CVE-2022-31630 - OpenCVE

In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Php	Php
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
php:8.0-8070020230118114629.ef331662	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:0848	2023-02-21T00:00:00Z
php:7.4-8080020230118140634.cc342424	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:2903	2023-05-16T00:00:00Z
Red Hat Enterprise Linux 9
php-0:8.0.27-1.el9_1	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:0965	2023-02-28T00:00:00Z
php:8.1-9020020230120141750.9	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:2417	2023-05-09T00:00:00Z

References

Link	Providers
https://bugs.php.net/bug.php?id=81739
https://nvd.nist.gov/vuln/detail/CVE-2022-31630
https://www.cve.org/CVERecord?id=CVE-2022-31630
https://www.php.net/ChangeLog-8.php#8.0.25

History

No history.

MITRE

Status: PUBLISHED

Assigner: php

Published: 2022-11-14T06:53:06.774Z

Updated: 2024-08-03T07:26:01.044Z

Reserved: 2022-05-25T21:03:32.861Z

Link: CVE-2022-31630

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-11-14T07:15:09.467

Modified: 2024-04-02T03:15:07.973

Link: CVE-2022-31630

Redhat

Severity : Moderate

Publid Date: 2022-10-27T00:00:00Z

Links: CVE-2022-31630 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-31630", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "state": "PUBLISHED", "assignerShortName": "php", "requesterUserId": "520cc88b-a1c8-44f6-9154-21a4d74c769f", "dateReserved": "2022-05-25T21:03:32.861Z", "datePublished": "2022-11-14T06:53:06.774Z", "dateUpdated": "2024-08-03T07:26:01.044Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["gd"], "product": "PHP", "repo": "https://github.com/php/php-src", "vendor": "PHP Group", "versions": [{"lessThan": "7.4.33", "status": "affected", "version": "7.4.x", "versionType": "custom"}, {"lessThan": "8.0.25", "status": "affected", "version": "8.0.x", "versionType": "custom"}, {"lessThan": "8.1.12", "status": "affected", "version": "8.1.x", "versionType": "custom"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "gd extension"}], "value": "gd extension"}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "cmb@php.net"}, {"lang": "en", "type": "remediation developer", "user": "00000000-0000-4000-9000-000000000000", "value": "cmb@php.net"}], "datePublic": "2022-10-24T06:40:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information. "}], "value": "In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.\u00a0"}], "impacts": [{"capecId": "CAPEC-540", "descriptions": [{"lang": "en", "value": "CAPEC-540 Overread Buffers"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-131", "description": "CWE-131 Incorrect Calculation of Buffer Size", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-04-02T02:38:25.144Z"}, "references": [{"url": "https://bugs.php.net/bug.php?id=81739"}], "source": {"defect": ["https://bugs.php.net/bug.php?id=81739"], "discovery": "INTERNAL"}, "title": "OOB read due to insufficient input validation in imageloadfont()", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:26:01.044Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugs.php.net/bug.php?id=81739", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "53B99259-5C66-4AEF-B500-1F775B6CCA06", "versionEndExcluding": "7.4.33", "versionStartIncluding": "7.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "795EC7FC-4A42-4D2B-A900-02CA7770E515", "versionEndExcluding": "8.0.25", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "0BFF2544-41D1-41F6-A116-F7069789A585", "versionEndExcluding": "8.1.12", "versionStartIncluding": "8.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.\u00a0"}, {"lang": "es", "value": "En versiones de PHP anteriores a 7.4.33, 8.0.25 y 8.2.12, cuando se usa la funci\u00f3n imageloadfont() en la extensi\u00f3n gd, es posible proporcionar un archivo de fuente especialmente manipulado, como si la fuente cargada se usa con imagechar() funci\u00f3n, se utilizar\u00e1 la lectura fuera del b\u00fafer asignado. Esto puede provocar fallos o divulgaci\u00f3n de informaci\u00f3n confidencial."}], "id": "CVE-2022-31630", "lastModified": "2024-04-02T03:15:07.973", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@php.net", "type": "Secondary"}]}, "published": "2022-11-14T07:15:09.467", "references": [{"source": "security@php.net", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugs.php.net/bug.php?id=81739"}], "sourceIdentifier": "security@php.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-131"}, {"lang": "en", "value": "CWE-190"}], "source": "security@php.net", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:0848", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "php:8.0-8070020230118114629.ef331662", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-02-21T00:00:00Z"}, {"advisory": "RHSA-2023:2903", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "php:7.4-8080020230118140634.cc342424", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-05-16T00:00:00Z"}, {"advisory": "RHSA-2023:0965", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "php-0:8.0.27-1.el9_1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-02-28T00:00:00Z"}, {"advisory": "RHSA-2023:2417", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "php:8.1-9020020230120141750.9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}], "bugzilla": {"description": "php: OOB read due to insufficient input validation in imageloadfont()", "id": "2139280", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2139280"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "status": "verified"}, "cwe": "CWE-20->CWE-125", "details": ["In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.\u00a0", "An out-of-bounds read flaw was found in PHP due to insufficient input validation in the imageloadfont() function. This flaw allows a remote attacker to pass specially crafted data to the web application, trigger an out-of-bounds read error, and read the contents of memory on the system."], "name": "CVE-2022-31630", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "php", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "php", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-php73-php", "product_name": "Red Hat Software Collections"}], "public_date": "2022-10-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-31630\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-31630\nhttps://bugs.php.net/bug.php?id=81739\nhttps://www.php.net/ChangeLog-8.php#8.0.25"], "threat_severity": "Moderate", "upstream_fix": "php 7.4.33"}