CVE-2022-26635 - Githubissues

php-memcached-dev / php-memcached

memcached extension based on libmemcached library

Other

990 stars 323 forks source link

CVE-2022-26635 #519

Closed eslerm closed 2 years ago

eslerm commented 2 years ago

Hello, I have a few questions about this CVE.

CVE-2022-26635: PHP-Memcached v2.2.0 and below contains an improper NULL termination which allows attackers to execute CLRF injection.

Will CVE-2022-26635 ^0 ^2 be patched for php-memcached version 2.2.x?

Does this vulnerability impact any 3.x versions?

Might this impact libmemcached?

Thank you :pray:

m6w6 commented 2 years ago

This should not be a CVE against php-memcached, but for whatever software the issue was actually found in. php-memcached and libmemcached provide a VERIFY_KEY flag if they're too lazy to filter untrusted user input.

eslerm commented 2 years ago

Thank you for the clarification @m6w6 :pray:

I have sent MITRE a request to remove php-memcached from this CVE and referenced your response.

carnil commented 1 year ago

Thank you for the clarification @m6w6 pray

I have sent MITRE a request to remove php-memcached from this CVE and referenced your response.

was there any response?

eslerm commented 1 year ago

I have not heard back. The owning CNA is MITRE.

I'll ask for an update and CC you.