CVE-2023-0568

Advisory lineage Upstream: 0 Downstream: 17

Downstream

DEBIAN-CVE-2023-0568 DLA-3345-1 DSA-5363-1 MGASA-2023-0065 OPENSUSE-SU-2024:12711-1 RHSA-2023:5926

Modified

Published: 16 Feb 2023, 06:34

Last modified:18 Mar 2025, 14:57

Vulnerability Summary

Overall Risk (default)

medium

42/100

CVSS Score

8.1 HIGH

v3.1 (nvd)

EPSS Score

0.44% LOW

0% probability +0.30%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

16 Feb 2023, 06:34

Published

Vulnerability first disclosed

18 Mar 2025, 14:57

Last Modified

Vulnerability information updated

Description

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
v3.1•HIGH•Score: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.44%• Percentile: 63%

Techniques & Countermeasures

CWE-131•Incorrect Calculation of Buffer Size
The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
CWE-770•Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Affected Systems

Unknown•PHP
≥ 8.0.x, < 8.0.28 | ≥ 8.1.x, < 8.1.16 | ≥ 8.2.x, < 8.2.3
Unknown•PHP
≥ 8.0.0, < 8.0.28 | ≥ 8.1.0, < 8.1.16 | ≥ 8.2.0, < 8.2.3