CVE-2022-24953: 
PHP vulnerability analysis and mitigation

The Crypt_GPG extension before version 1.6.7 for PHP contains a security vulnerability (CVE-2022-24953) that fails to prevent additional options in GPG calls. This vulnerability was discovered and disclosed in February 2022, affecting all versions of the Crypt_GPG package prior to 1.6.7. The vulnerability impacts environments using the PHP Crypt_GPG extension for GPG operations (NVD).

The vulnerability stems from the failure to properly validate arguments in API calls, allowing potential manipulation of GPG commands. The issue was addressed by inserting an end-of-options marker ('--') before operation arguments to prevent interpretation of user-supplied input as commands or flags. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD, Debian).

The vulnerability could allow API calls to be tricked into performing unintended commands, potentially resulting in erroneous output or information leaks. The security impact varies depending on the environment and GPG version in use (Debian).

The vulnerability was fixed in Crypt_GPG version 1.6.7 by implementing proper input validation and adding the end-of-options marker before operation arguments. Users are advised to upgrade to version 1.6.7 or later to address this security issue (GitHub Commit).