Korean
<< Back
VID 210231
Severity 40
Port 80, ...
Protocol TCP
Class CGI
Detailed Description The version of PHP installed on the remote Windows host is a version prior to 7.4.33, 8.0.25 or 8.1.12. It is, therefore, affected by multiple vulnerabilities.

- In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information. (CVE-2022-31630)
- The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties.
This occurs in the sponge function interface. (CVE-2022-37454)

* References:
http://bugs.php.net/81738
http://bugs.php.net/81739
http://php.net/ChangeLog-8.php#8.2.0

* Platforms Affected:
PHP Prior to 7.4.33
Any operating system Any version
Recommendation Upgrade to the latest version of PHP (7.4.33 or later), available from the PHP web site at http://www.php.net/downloads.php
Related URL CVE-2022-31630,CVE-2022-37454 (CVE)
Related URL (SecurityFocus)
Related URL (ISS)