CVE-2023-0567

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-0567

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-0567.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-0567

Aliases

BIT-php-2023-0567
GHSA-7fj2-8x79-rjf4

Related

Published

2023-03-01T08:15:11Z

Modified

2024-09-18T03:24:53.054784Z

Severity

6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.

References

Affected packages

Debian:11 / php7.4

Package

Name: php7.4
Purl: pkg:deb/debian/php7.4?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.4.33-1+deb11u3

Affected versions

7.*

7.4.21-1+deb11u1

7.4.25-1+deb11u1

7.4.26-1

7.4.28-1+deb11u1

7.4.30-1+deb11u1

7.4.33-1+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / php8.2

Package

Name: php8.2
Purl: pkg:deb/debian/php8.2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.2.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / php8.2

Package

Name: php8.2
Purl: pkg:deb/debian/php8.2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.2.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/php/php-src

Affected ranges

Type: GIT
Repo: https://github.com/php/php-src
Events: Introduced

5dc92c2117cafc61daaaaa240fd46c3ac33872a4

Fixed

12b5ba0b1d87d2dfdb4ee213cb5d122c921f3f2f