CVE-2023-0567
Advisory lineage Upstream: 0 Downstream: 16
Modified
Published: 16 Feb 2023, 06:15
Last modified:02 Aug 2024, 05:17
Vulnerability Summary
Overall Risk (default)
medium
41/100 CVSS Score
7.7 HIGH
v3.1 (cve.org)
EPSS Score
0.14% LOW
0% probability +0.11%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
16 Feb 2023, 06:15
Published
Vulnerability first disclosed
02 Aug 2024, 05:17
Last Modified
Vulnerability information updated
Description
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.
CVSS Metrics
- v3.1•HIGH•Score: 7.7CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- v3.1•MEDIUM•Score: 6.2CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Trends
Current EPSS score: 0.14%• Percentile: 34%
Techniques & Countermeasures
- CWE-916•Use of Password Hash With Insufficient Computational Effort
The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
Affected Systems
- Unknown•PHP
≥ 8.0.x, < 8.0.28 | ≥ 8.1.x, < 8.1.16 | ≥ 8.2.x, < 8.2.3
- Unknown•PHP
≥ 8.0.0, < 8.0.28 | ≥ 8.1.0, < 8.1.16 | ≥ 8.2.0, < 8.2.3