CVE-2022-26635

[eslerm]

Hello, I have a few questions about this CVE.

CVE-2022-26635: PHP-Memcached v2.2.0 and below contains an improper NULL termination which allows attackers to execute CLRF injection.

Will CVE-2022-26635 ¹²³ be patched for php-memcached version 2.2.x?

Does this vulnerability impact any 3.x versions?

Might this impact libmemcached?

Thank you 🙏

Footnotes

1. https://nvd.nist.gov/vuln/detail/CVE-2022-26635 ↩

2. https://xhzeem.me/posts/Php5-memcached-Injection-Bypass/read/ ↩

3. https://github.com/advisories/GHSA-hph6-79wj-qqmw ↩

[m6w6]

This should not be a CVE against php-memcached, but for whatever software the issue was actually found in.
php-memcached and libmemcached provide a VERIFY_KEY flag if they're too lazy to filter untrusted user input.

[eslerm]

Thank you for the clarification @m6w6 🙏

I have sent MITRE a request to remove php-memcached from this CVE and referenced your response.

[carnil]

Thank you for the clarification @m6w6 pray

I have sent MITRE a request to remove php-memcached from this CVE and referenced your response.

was there any response?

[eslerm]

I have not heard back. The owning CNA is MITRE.

I'll ask for an update and CC you.