CVE-2022-31628
phar wrapper can occur dos when using quine gzip file
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Affected products
PHP Group · PHPWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://bugs.php.net/bug.php?id=81726https://lists.debian.org/debian-lts-announce/2022/12/msg00030.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/https://security.gentoo.org/glsa/202211-03https://security.netapp.com/advisory/ntap-20221209-0001/https://www.debian.org/security/2022/dsa-5277