Vulnerability CVE-2023-0567: Information

Description

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. 

Severity: MEDIUM (6.2) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-0567
Published: March 1, 2023
Modified: Nov. 7, 2023
Error type identifier: CWE-916

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
php8.0p108.0.28-alt18.0.30-alt1ALT-PU-2023-1319-1315278Fixed
php8.0p10_e2k8.0.28-alt18.0.30-alt1ALT-PU-2023-2679-1-Fixed
php8.0c10f18.0.28-alt18.0.30-alt1ALT-PU-2023-1319-1315278Fixed
php8.1sisyphus8.1.16-alt18.1.28-alt1ALT-PU-2023-1256-1315260Fixed
php8.1sisyphus_e2k8.1.16-alt18.1.28-alt1ALT-PU-2023-2563-1-Fixed
php8.1sisyphus_riscv648.1.16-alt18.1.28-alt1ALT-PU-2023-2569-1-Fixed
php8.1p108.1.16-alt18.1.28-alt1ALT-PU-2023-1284-1315276Fixed
php8.1p10_e2k8.1.16-alt18.1.28-alt1ALT-PU-2023-2607-1-Fixed
php8.1c10f18.1.16-alt18.1.28-alt1ALT-PU-2023-1284-1315276Fixed
php8.1c9f28.1.16-alt18.1.16-alt1ALT-PU-2023-1275-1315279Fixed
php8.1p118.1.16-alt18.1.28-alt1ALT-PU-2023-1256-1315260Fixed
php8.2sisyphus8.2.3-alt18.2.19-alt1ALT-PU-2023-1246-1315241Fixed
php8.2sisyphus_e2k8.2.3-alt18.2.18-alt1ALT-PU-2023-2547-1-Fixed
php8.2p108.2.3-alt18.2.19-alt1ALT-PU-2023-1246-1315241Fixed
php8.2p118.2.3-alt18.2.19-alt1ALT-PU-2023-1246-1315241Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4
  • Exploit
  • Vendor Advisory
https://bugs.php.net/bug.php?id=81744
  • Vendor Advisory

    1. Configuration 1

      cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
      Start including
      8.2.0
      End excliding
      8.2.3
      cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
      Start including
      8.1.0
      End excliding
      8.1.16
      cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
      Start including
      8.0.0
      End excliding
      8.0.28
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.3
Back to top