CVE-2022-31630

HIGH7.1EPSS 0.05%

OOB read due to insufficient input validation in imageloadfont()

發布日:2022/11/14修改日:2026/4/28

也稱為:DEBIAN-CVE-2022-31630

描述

In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.

受影響套件(4)

Bitnami/libphp>= 7.4.0, < 7.4.33, >= 8.0.0, < 8.0.25, >= 8.1.0, < 8.1.12
Bitnami/php>= 7.4.0, < 7.4.33, >= 8.0.0, < 8.0.25, >= 8.1.0, < 8.1.12
Bitnami/php-min>= 7.4.0, < 7.4.33, >= 8.0.0, < 8.0.25, >= 8.1.0, < 8.1.12
Debian/php7.4from 0, < 7.4.33-1+deb11u1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.1	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

參考連結(3)

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-31630
WEBhttps://bugs.php.net/bug.php?id=81739
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-31630