Hi, [no need to ask on multiple channels please]
On Wed, Feb 22, 2023 at 08:48:00AM +0000, Daniel Ruf wrote: > According to the CPE and CVE description, only PHP 8 is affected by > CVE-2023-0662, correct? > > https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv > > But https://security-tracker.debian.org/tracker/CVE-2023-0662 says, that also > PHP 7.4 is vulnerable. > Can you confirm or deny, that versions before PHP 8.0 are vulnerable / > affected by this specific CVE? > [https://opengraph.githubassets.com/d24af7af12472e0f81d37ac06d175244ffc6bd1397f783c25fbb4a32a8f5d745/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv]<https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv> > DoS vulnerability when parsing multipart request > body<https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv> > ### Summary The request body parsing in PHP allows any unauthenticated > attacker to consume a large amount of CPU time and trigger excessive logging. > ### Details The multipart body parser... > github.com You have to inspect the code to confirm or deny. Upstream PHP does not support anymore older versions, so they will not mention likely if earlier versions are affected as well. Hope this helps, Regards, Salvatore
