In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS permissions.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:4068-1 advisory.

  - The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to     string objects that result in a negative length, which allows remote attackers to cause a denial of     service (application crash) or possibly have unspecified other impact by leveraging a script's use of .=     with a long string. (CVE-2017-8923)

  - In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files     using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to     a crash or information disclosure. (CVE-2020-7068)

  - In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used     with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can     lead to both decreased security and incorrect encryption data. (CVE-2020-7069)

  - In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing     incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like
    __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge     cookie which is supposed to be secure. See also CVE-2020-8184 for more information. (CVE-2020-7070)

  - In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like     filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may     lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components     of the URL. (CVE-2020-7071)

  - In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to     connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would     cause PHP to access a null pointer and thus cause a crash. (CVE-2021-21702)

  - In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running     PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-     privileged users, it is possible for the child processes to access memory shared with the main process and     write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and     writes, which can be used to escalate privileges from local unprivileged user to the root user.
    (CVE-2021-21703)

  - In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO     driver extension, a malicious database server could cause crashes in various database functions, such as     getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed     correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.
    (CVE-2021-21704)

  - In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation     functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password     field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially     leading to other security implications - like contacting a wrong server or making a wrong access decision.
    (CVE-2021-21705)

  - In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows     environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when     extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS     permissions. (CVE-2021-21706)

  - In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing     functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains     URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus     interpreting the filename differently from what the user intended, which may lead it to reading a     different file than intended. (CVE-2021-21707)

  - In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions     with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to     trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of     other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.
    (CVE-2021-21708)

  - In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres     database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to     free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of     service. (CVE-2022-31625)

  - In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension     with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the     connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote     code execution vulnerability. (CVE-2022-31626)

  - In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress     quines gzip files, resulting in an infinite loop. (CVE-2022-31628)

  - In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site     attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or     `__Secure-` cookie by PHP applications. (CVE-2022-31629)

  - In PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using imageloadfont() function in gd extension,     it is possible to supply a specially crafted font file, such as if the loaded font is used with     imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or     disclosure of confidential information. (CVE-2022-31630)

  - The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer     overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties.
    This occurs in the sponge function interface. (CVE-2022-37454)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:4069-1 advisory.

  - The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to     string objects that result in a negative length, which allows remote attackers to cause a denial of     service (application crash) or possibly have unspecified other impact by leveraging a script's use of .=     with a long string. (CVE-2017-8923)

  - In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files     using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to     a crash or information disclosure. (CVE-2020-7068)

  - In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used     with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can     lead to both decreased security and incorrect encryption data. (CVE-2020-7069)

  - In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing     incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like
    __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge     cookie which is supposed to be secure. See also CVE-2020-8184 for more information. (CVE-2020-7070)

  - In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like     filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may     lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components     of the URL. (CVE-2020-7071)

  - In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to     connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would     cause PHP to access a null pointer and thus cause a crash. (CVE-2021-21702)

  - In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running     PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-     privileged users, it is possible for the child processes to access memory shared with the main process and     write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and     writes, which can be used to escalate privileges from local unprivileged user to the root user.
    (CVE-2021-21703)

  - In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO     driver extension, a malicious database server could cause crashes in various database functions, such as     getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed     correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.
    (CVE-2021-21704)

  - In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation     functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password     field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially     leading to other security implications - like contacting a wrong server or making a wrong access decision.
    (CVE-2021-21705)

  - In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows     environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when     extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS     permissions. (CVE-2021-21706)

  - In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing     functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains     URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus     interpreting the filename differently from what the user intended, which may lead it to reading a     different file than intended. (CVE-2021-21707)

  - In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions     with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to     trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of     other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.
    (CVE-2021-21708)

  - In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres     database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to     free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of     service. (CVE-2022-31625)

  - In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension     with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the     connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote     code execution vulnerability. (CVE-2022-31626)

  - In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress     quines gzip files, resulting in an infinite loop. (CVE-2022-31628)

  - In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site     attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or     `__Secure-` cookie by PHP applications. (CVE-2022-31629)

  - In PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using imageloadfont() function in gd extension,     it is possible to supply a specially crafted font file, such as if the loaded font is used with     imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or     disclosure of confidential information. (CVE-2022-31630)

  - The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer     overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties.
    This occurs in the sponge function interface. (CVE-2022-37454)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of PHP installed on the remote host is prior to 8.1.0. It is, therefore, affected by multiple vulnerabilities as referenced in the Version 8.1.0 advisory.

  - In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running     PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-     privileged users, it is possible for the child processes to access memory shared with the main process and     write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and     writes, which can be used to escalate privileges from local unprivileged user to the root user.
    (CVE-2021-21703)

  - In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows     environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when     extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS     permissions. (CVE-2021-21706)

  - In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing     functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains     URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus     interpreting the filename differently from what the user intended, which may lead it to reading a     different file than intended. (CVE-2021-21707)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of PHP installed on the remote host is 7.4.x prior to 7.4.25. It is, therefore, affected by a vulnerability as referenced in the version 7.4.24 advisory. In the Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS permissions.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of PHP installed on the remote host is 7.3.x prior to 7.3.31. It is, therefore, affected by a vulnerability as referenced in the version 7.3.31 advisory. In the Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS permissions.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the version of PHP installed on the remote host is 7.3.x prior to 7.3.31, 7.4.x prior to 7.4.24, or 8.x prior to 8.0.11. It is, therefore, affected by a path traversal via ZipArchive::extractTo().

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
167963	SUSE SLES12 Security Update : php74 (SUSE-SU-2022:4068-1)	Nessus	SuSE Local Security Checks	critical
167937	SUSE SLED15 / SLES15 Security Update : php7 (SUSE-SU-2022:4069-1)	Nessus	SuSE Local Security Checks	critical
155730	PHP 8.1.x < 8.1.0 Multiple Vulnerabilities	Nessus	CGI abuses	high
154656	PHP 7.4.x < 7.4.24 Arbitrary File Write	Nessus	CGI abuses	medium
154650	PHP 7.3.x < 7.3.31 Arbitrary File Write	Nessus	CGI abuses	medium
112986	PHP 7.3.x < 7.3.31 Path Traversal	Web App Scanning	Component Vulnerability	medium
112985	PHP 7.4.x < 7.4.24 Path Traversal	Web App Scanning	Component Vulnerability	medium
112984	PHP 8.x < 8.0.11 Path Traversal	Web App Scanning	Component Vulnerability	medium

Detections

Analytics

CVE-2021-21706

medium

Tenable Plugins

critical

critical

high

medium

medium

medium

medium

medium