First published: Fri Oct 21 2022(Updated: )
Fixed bug : buffer overflow in hash_update() on long parameter. (CVE-2022-37454)
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/pysha3 | <=1.0.2-2<=1.0.2-4.1<=1.0.2-4.2 | 1.0.2-4.1+deb11u1 1.0.2-5 |
PHP PHP | <8.0.25 | 8.0.25 |
Extended Keccak Code Package Project Extended Keccak Code Package | ||
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Fedoraproject Fedora | =35 | |
Fedoraproject Fedora | =36 | |
PHP PHP | >=7.2.0<7.4.33 | |
PHP PHP | >=8.0.0<8.0.25 | |
PHP PHP | >=8.1.0<8.1.12 | |
Python Python | >=3.6.0<3.7.16 | |
Python Python | >=3.8.0<3.8.16 | |
Python Python | >=3.9.0<3.9.16 | |
Python Python | >=3.10.0<3.10.9 | |
Sha3 Project Sha3 | <1.0.5 | |
Pysha3 Project Pysha3 | ||
Pypy Pypy | >=7.0.0 | |
debian/php7.4 | 7.4.33-1+deb11u5 7.4.33-1+deb11u7 | |
debian/pypy3 | 7.3.5+dfsg-2+deb11u2 7.3.5+dfsg-2+deb11u4 7.3.11+dfsg-2+deb12u2 7.3.17+dfsg-3 | |
debian/pysha3 | 1.0.2-4.1+deb11u1 | |
debian/python2.7 | 2.7.18-8+deb11u1 | |
debian/python3.9 | <=3.9.2-1<=3.9.2-1+deb11u2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-37454 is a fixed bug in the Keccak XKCP SHA-3 reference implementation that allows attackers to execute arbitrary code or eliminate expected cryptographic properties.
CVE-2022-37454 affects PHP versions up to 7.4.33 and can be exploited to execute arbitrary code.
To fix CVE-2022-37454 in PHP, update to version 7.4.33 or later.
The affected software includes PHP versions up to 7.4.33, PHP 7.3.31-1~deb10u4, PHP 7.4.33-1+deb11u3 and 7.4.33-1+deb11u4, PyPy3 versions 7.0.0+dfsg-3, 7.3.5+dfsg-2+deb11u2, 7.3.11+dfsg-2, and 7.3.12+dfsg-1, pysha3 versions 1.0.2-2+deb10u1 and 1.0.2-4.1+deb11u1, Python 2.7.16-2+deb10u1, 2.7.16-2+deb10u2, and 2.7.18-8, Python 3.10.12-1, Python 3.7.3-2+deb10u5, and Python 3.9 versions up to 3.9.2-1.
More information about CVE-2022-37454 can be found in the PHP changelog at https://www.php.net/ChangeLog-7.php#7.4.33 and the XKCP/XKCP GitHub repository at https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658. The specific fix is available in the commit fdc6fef075f4e81d6b1bc38364248975e08e340a.