CVE-2022-31629 — MEDIUM (6.5)

Q: How severe is CVE-2022-31629?

CVE-2022-31629 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-31629?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Fedoraproject Fedora, Debian Debian Linux.

Vulnerability Description

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Php	Php	< 7.4.31
Fedoraproject	Fedora	35
Debian	Debian Linux	10.0

Related Weaknesses (CWE)

CWE-20 CWE-1284

References

http://www.openwall.com/lists/oss-security/2024/04/12/11
https://bugs.php.net/bug.php?id=81727ExploitPermissions RequiredVendor Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00030.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202211-03Third Party Advisory
https://security.netapp.com/advisory/ntap-20221209-0001/Third Party Advisory
https://www.debian.org/security/2022/dsa-5277Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/04/12/11
https://bugs.php.net/bug.php?id=81727ExploitPermissions RequiredVendor Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00030.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2022-31629?

CVE-2022-31629 is a vulnerability with a CVSS score of 6.5 (MEDIUM). In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or...

How severe is CVE-2022-31629?

CVE-2022-31629 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-31629?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Fedoraproject Fedora, Debian Debian Linux.