CVE-2023-0567

CVE-2023-0567

Name

CVE-2023-0567

Description

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4
MISC	https://bugs.php.net/bug.php?id=81744

Type

URI

MISC

https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4

MISC

https://bugs.php.net/bug.php?id=81744

Source package	Min version	Max version
php	>= 8.0.x	< 8.0.28
php	>= 8.1.x	< 8.1.16
php	>= 8.2.x	< 8.2.3

CPE URI

Source package

Min version

Max version

php

>= 8.0.x

< 8.0.28

php

>= 8.1.x

< 8.1.16

php

>= 8.2.x

< 8.2.3

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
php82	edge-community	8.2.3-r0	Andy Postnikov <apostnikov@gmail.com>	fixed
php82	3.22-community	8.2.3-r0	None	fixed
php82	3.21-community	8.2.3-r0	None	fixed
php82	3.20-community	8.2.3-r0	None	fixed
php82	3.19-community	8.2.3-r0	None	fixed
php82	3.18-community	8.2.3-r0	None	fixed
php81	edge-community	8.1.16-r0	Andy Postnikov <apostnikov@gmail.com>	fixed
php81	3.19-community	8.1.16-r0	None	fixed
php81	3.18-community	8.1.16-r0	None	fixed
php81	3.17-community	8.1.16-r0	Andy Postnikov <apostnikov@gmail.com>	fixed

Source package

Branch

Version

Maintainer

Status

php82

edge-community

8.2.3-r0

Andy Postnikov <apostnikov@gmail.com>

fixed

php82

3.22-community