Fluid Attacks Database

Description

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	php7.4	=7.4.21-1+deb11u1 \|\| =7.4.25-1+deb11u1 \|\| =7.4.26-1 \|\| =7.4.28-1+deb11u1 \|\| =7.4.30-1+deb11u1 \|\| >=0 <7.4.33-1+deb11u1	7.4.33-1+deb11u1
rpm rhel7	php	-	-
rpm rhel8	php	<0:7.4.33-1.module+el8.8.0+17865+ef7eddfa	0:7.4.33-1.module+el8.8.0+17865+ef7eddfa
rpm rhel9	php	<0:8.0.27-1.el9_1	0:8.0.27-1.el9_1
rpm rhel6	php	-	-

Aliases

1. CVE-2022-316292. NVD-2022-316293. OSV-DEBIAN-2022-316294. OSV-2022-316295. SECURITY-TRACKER-CVE-2022-31629

References

1. https://github.com/silnex/CVE-2022-31629-poc

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.