CVE-2024-3096
Published: April 12, 2024Last modified: April 23, 2024
Description
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
Severity score breakdown
| Parameter | Value | 
|---|---|
| Base score | 6.5 | 
| Attack Vector | NETWORK | 
| Attack complexity | LOW | 
| Privileges required | NONE | 
| User interaction | REQUIRED | 
| Scope | UNCHANGED | 
| Confidentiality | HIGH | 
| Integrity impact | NONE | 
| Availability impact | NONE | 
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | 
Status
| Product | Release | Package | Status | 
|---|---|---|---|
| Alpaquita Linux | 23 LTS | php81 | Fixed (8.1.28-r0) | 
| Stream | php83 | Fixed (8.3.6-r0) |