CVE-2022-31630
Public on 2022-11-08
Modified on 2024-06-21
Description
In PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| HAQM Linux 2 - Core | php | Not Affected | ||
| HAQM Linux 2 - Php8.0 Extra | php | 2023-08-21 | ALAS2PHP8.0-2023-004 | Fixed |
| HAQM Linux 2 - Php8.1 Extra | php | 2023-08-04 | ALAS2PHP8.1-2023-001 | Fixed |
| HAQM Linux 1 | php73 | Not Affected | ||
| HAQM Linux 2023 | php8.1 | 2023-02-17 | ALAS2023-2023-081 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| HAQM Linux | CVSSv3 | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| NVD | CVSSv3 | 7.1 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H |