CVE-2022-31630

In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://bugs.php.net/bug.php?id=81739	Exploit Issue Tracking Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::

History

No history.

Information

Published : 2022-11-14 07:15

Updated : 2024-04-02 03:15

NVD link : CVE-2022-31630

Mitre link : CVE-2022-31630

CVE.ORG link : CVE-2022-31630

JSON object : View

Products Affected

php

php

CWE

CWE-125

Out-of-bounds Read

CWE-131

Incorrect Calculation of Buffer Size

CWE-190

Integer Overflow or Wraparound

{"id": "CVE-2022-31630", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security@php.net", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2022-11-14T07:15:09.467", "references": [{"url": "https://bugs.php.net/bug.php?id=81739", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "source": "security@php.net"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}, {"type": "Secondary", "source": "security@php.net", "description": [{"lang": "en", "value": "CWE-131"}, {"lang": "en", "value": "CWE-190"}]}], "descriptions": [{"lang": "en", "value": "In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.\u00a0"}, {"lang": "es", "value": "En versiones de PHP anteriores a 7.4.33, 8.0.25 y 8.2.12, cuando se usa la funci\u00f3n imageloadfont() en la extensi\u00f3n gd, es posible proporcionar un archivo de fuente especialmente manipulado, como si la fuente cargada se usa con imagechar() funci\u00f3n, se utilizar\u00e1 la lectura fuera del b\u00fafer asignado. Esto puede provocar fallos o divulgaci\u00f3n de informaci\u00f3n confidencial."}], "lastModified": "2024-04-02T03:15:07.973", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53B99259-5C66-4AEF-B500-1F775B6CCA06", "versionEndExcluding": "7.4.33", "versionStartIncluding": "7.4.0"}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "795EC7FC-4A42-4D2B-A900-02CA7770E515", "versionEndExcluding": "8.0.25", "versionStartIncluding": "8.0.0"}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0BFF2544-41D1-41F6-A116-F7069789A585", "versionEndExcluding": "8.1.12", "versionStartIncluding": "8.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@php.net"}