CVE-2024-3096

Published: April 12, 2024Last modified: April 23, 2024

Description

In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.

Severity score breakdown

ParameterValue
Base score6.5
Attack VectorNETWORK
Attack complexityLOW
Privileges requiredNONE
User interactionREQUIRED
ScopeUNCHANGED
ConfidentialityHIGH
Integrity impactNONE
Availability impactNONE
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Status

ProductReleasePackageStatus
Alpaquita Linux23 LTSphp81Fixed (8.1.28-r0)
Streamphp83Fixed (8.3.6-r0)

References

ON THIS PAGE