In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.
References
Link | Resource |
---|---|
https://bugs.php.net/bug.php?id=81744 | Vendor Advisory |
https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4 | Exploit Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
07 Nov 2023, 04:00
Type | Values Removed | Values Added |
---|---|---|
Summary | In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. |
10 Mar 2023, 17:32
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:php:php:*:*:*:*:*:*:*:* | |
CWE | CWE-916 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.2 |
First Time |
Php
Php php |
|
References | (MISC) https://bugs.php.net/bug.php?id=81744 - Vendor Advisory | |
References | (MISC) https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4 - Exploit, Vendor Advisory |
01 Mar 2023, 08:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-03-01 08:15
Updated : 2023-12-10 14:48
NVD link : CVE-2023-0567
Mitre link : CVE-2023-0567
CVE.ORG link : CVE-2023-0567
JSON object : View
Products Affected
php
- php
CWE
CWE-916
Use of Password Hash With Insufficient Computational Effort