CVE-2023-0567

HIGH

PHP <8.0.28-8.1.16-8.2.3 - Info Disclosure

Title source: llm

Description

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.

References (3)

[Vendor Advisory] https://bugs.php.net/bug.php?id=81744

[Exploit, Vendor Advisory] https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20230331-0008/

Scores

CVSS v3 7.7

EPSS 0.0006

EPSS Percentile 17.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-916

Status published

Products (1)

php/php 8.0.0 - 8.0.28

Published Mar 01, 2023

Tracked Since Feb 18, 2026