CVE-2022-31629

Advisory lineage Upstream: 0 Downstream: 19
Modified
Published: 28 Sept 2022, 22:25
Last modified:04 Nov 2025, 17:12

Vulnerability Summary

Overall Risk (default)
medium
39/100
CVSS Score
6.5 MEDIUM
v3.1 (cve.org)
EPSS Score
15.42% MEDIUM
15% probability -1.53%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

28 Sept 2022, 22:25
Published
Vulnerability first disclosed
04 Nov 2025, 17:12
Last Modified
Vulnerability information updated

Description

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.

CVSS Metrics

  • v3.1MEDIUMScore: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS Trends

Current EPSS score: 15.42% Percentile: 95%

Techniques & Countermeasures

  • CWE-20Improper Input Validation

    The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

  • CWE-1284Improper Validation of Specified Quantity in Input

    The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Affected Systems

  • debiandebian_linux

    10.0 | 11.0

  • fedoraprojectfedora

    35 | 36 | 37

  • UnknownPHP

    ≥ 7.4.X, < 7.4.31 | ≥ 8.0.X, < 8.0.24 | ≥ 8.1.X, < 8.1.11

  • UnknownPHP

    < 7.4.31 | ≥ 8.0.0, < 8.0.24 | ≥ 8.1.0, < 8.1.11

References (14)