{"id":"CVE-2022-31629","details":"In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.","aliases":["BIT-libphp-2022-31629","BIT-php-2022-31629","BIT-php-min-2022-31629"],"modified":"2026-04-16T04:39:42.162848114Z","published":"2022-09-28T23:15:10.540Z","related":["ALSA-2023:0848","ALSA-2023:0965","ALSA-2023:2417","ALSA-2023:2903","ALSA-2024:10949","ALSA-2024:10950","ALSA-2024:10951","ALSA-2024:10952","SUSE-SU-2022:3661-1","SUSE-SU-2022:3830-1","SUSE-SU-2022:3957-1","SUSE-SU-2022:3997-1","SUSE-SU-2022:4067-1","SUSE-SU-2022:4068-1","SUSE-SU-2022:4069-1","openSUSE-SU-2024:13867-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/04/12/11"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSJVPJTX7T3J5V7XHR4MFNHZGP44R5XE/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202211-03"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5277"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20221209-0001/"},{"type":"REPORT","url":"https://bugs.php.net/bug.php?id=81727"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"0"},{"fixed":"3d2745768fac5941a8aded96f53c0035d29bbcab"},{"introduced":"5dc92c2117cafc61daaaaa240fd46c3ac33872a4"},{"fixed":"b3034f5d053744d34eab8783d5fde0a5af95a070"},{"introduced":"381ba9f5d0edd0c9c8ec1dea7e21d513ad08b115"},{"fixed":"b357a4fe713d5a8f096f89d30019e5d322711c64"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"7.4.31"},{"introduced":"8.0.0"},{"fixed":"8.0.24"},{"introduced":"8.1.0"},{"fixed":"8.1.11"}]}}],"versions":["POST_64BIT_BRANCH_MERGE","POST_AST_MERGE","POST_PHP7_NSAPI_REMOVAL","POST_PHP7_REMOVALS","POST_PHPNG_MERGE","PRE_64BIT_BRANCH_MERGE","PRE_AST_MERGE","PRE_PHP7_EREG_MYSQL_REMOVALS","PRE_PHP7_NSAPI_REMOVAL","PRE_PHP7_REMOVALS"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"35"}]},{"events":[{"introduced":"0"},{"last_affected":"36"}]},{"events":[{"introduced":"0"},{"last_affected":"37"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31629.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}