First published: Fri Oct 21 2022(Updated: )
Fixed bug : buffer overflow in hash_update() on long parameter. (CVE-2022-37454)
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/pysha3 | <=1.0.2-2<=1.0.2-4.1<=1.0.2-4.2 | 1.0.2-4.1+deb11u1 1.0.2-5 |
Extended Keccak Code Package Project Extended Keccak Code Package | ||
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Fedoraproject Fedora | =35 | |
Fedoraproject Fedora | =36 | |
PHP PHP | >=7.2.0<7.4.33 | |
PHP PHP | >=8.0.0<8.0.25 | |
PHP PHP | >=8.1.0<8.1.12 | |
Python Python | >=3.6.0<3.7.16 | |
Python Python | >=3.8.0<3.8.16 | |
Python Python | >=3.9.0<3.9.16 | |
Python Python | >=3.10.0<3.10.9 | |
Sha3 Project Sha3 | <1.0.5 | |
Pysha3 Project Pysha3 | ||
PHP PHP | >=7.0.0 | |
PHP PHP | <8.0.25 | 8.0.25 |
ubuntu/php7.2 | <7.2.24-0ubuntu0.18.04.15 | 7.2.24-0ubuntu0.18.04.15 |
ubuntu/php7.4 | <7.4.3-4ubuntu2.15 | 7.4.3-4ubuntu2.15 |
ubuntu/php8.1 | <8.1.2-1ubuntu2.8 | 8.1.2-1ubuntu2.8 |
ubuntu/php8.1 | <8.1.7-1ubuntu3.1 | 8.1.7-1ubuntu3.1 |
ubuntu/php8.1 | <8.1.12-1ubuntu2 | 8.1.12-1ubuntu2 |
ubuntu/php8.1 | <8.1.12-1 | 8.1.12-1 |
ubuntu/pypy3 | <7.3.1+dfsg-4ubuntu0.1 | 7.3.1+dfsg-4ubuntu0.1 |
ubuntu/pypy3 | <7.3.9+dfsg-1ubuntu0.1 | 7.3.9+dfsg-1ubuntu0.1 |
ubuntu/pypy3 | <7.3.9+dfsg-5 | 7.3.9+dfsg-5 |
ubuntu/pysha3 | <1.0.2-4ubuntu0.1 | 1.0.2-4ubuntu0.1 |
ubuntu/pysha3 | <1.0.2-4.2ubuntu0.22.04.1 | 1.0.2-4.2ubuntu0.22.04.1 |
ubuntu/python3.10 | <3.10.6-1~22.04.2 | 3.10.6-1~22.04.2 |
ubuntu/python3.10 | <3.10.7-1ubuntu0.2 | 3.10.7-1ubuntu0.2 |
ubuntu/python3.10 | <3.10.9-1 | 3.10.9-1 |
ubuntu/python3.6 | <3.6.9-1~18.04ubuntu1.10 | 3.6.9-1~18.04ubuntu1.10 |
ubuntu/python3.7 | <3.7.5-2ubuntu1~18.04.2+ | 3.7.5-2ubuntu1~18.04.2+ |
ubuntu/python3.8 | <3.8.0-3ubuntu1~18.04.2+ | 3.8.0-3ubuntu1~18.04.2+ |
ubuntu/python3.8 | <3.8.10-0ubuntu1~20.04.6 | 3.8.10-0ubuntu1~20.04.6 |
ubuntu/python3.9 | <3.9.5-3ubuntu0~20.04.1+ | 3.9.5-3ubuntu0~20.04.1+ |
debian/php7.3 | <=7.3.31-1~deb10u1 | 7.3.31-1~deb10u5 |
debian/php7.4 | 7.4.33-1+deb11u4 7.4.33-1+deb11u5 | |
debian/pypy3 | 7.0.0+dfsg-3 7.3.5+dfsg-2+deb11u2 7.3.11+dfsg-2+deb12u1 7.3.15+dfsg-1 7.3.16+dfsg-2 | |
debian/pysha3 | <=1.0.2-2 | 1.0.2-2+deb10u1 1.0.2-4.1+deb11u1 |
debian/python2.7 | 2.7.16-2+deb10u1 2.7.16-2+deb10u4 2.7.18-8+deb11u1 | |
debian/python3.7 | <=3.7.3-2+deb10u3 | 3.7.3-2+deb10u7 |
debian/python3.9 | <=3.9.2-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-37454 is a fixed bug in the Keccak XKCP SHA-3 reference implementation that allows attackers to execute arbitrary code or eliminate expected cryptographic properties.
CVE-2022-37454 affects PHP versions up to 7.4.33 and can be exploited to execute arbitrary code.
To fix CVE-2022-37454 in PHP, update to version 7.4.33 or later.
The affected software includes PHP versions up to 7.4.33, PHP 7.3.31-1~deb10u4, PHP 7.4.33-1+deb11u3 and 7.4.33-1+deb11u4, PyPy3 versions 7.0.0+dfsg-3, 7.3.5+dfsg-2+deb11u2, 7.3.11+dfsg-2, and 7.3.12+dfsg-1, pysha3 versions 1.0.2-2+deb10u1 and 1.0.2-4.1+deb11u1, Python 2.7.16-2+deb10u1, 2.7.16-2+deb10u2, and 2.7.18-8, Python 3.10.12-1, Python 3.7.3-2+deb10u5, and Python 3.9 versions up to 3.9.2-1.
More information about CVE-2022-37454 can be found in the PHP changelog at https://www.php.net/ChangeLog-7.php#7.4.33 and the XKCP/XKCP GitHub repository at https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658. The specific fix is available in the commit fdc6fef075f4e81d6b1bc38364248975e08e340a.