CVE-2023-0567 - OpenCVE

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Php	Php
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
php:8.0-8080020231006102311.0b4eb31d	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:5927	2023-10-19T00:00:00Z
Red Hat Enterprise Linux 9
php-0:8.0.30-1.el9_2	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:5926	2023-10-19T00:00:00Z
php:8.1-9030020231221080340.9	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:0387	2024-01-24T00:00:00Z

References

Link	Providers
https://bugs.php.net/bug.php?id=81744
https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4
https://nvd.nist.gov/vuln/detail/CVE-2023-0567
https://security.netapp.com/advisory/ntap-20230331-0008/
https://www.cve.org/CVERecord?id=CVE-2023-0567

History

No history.

MITRE

Status: PUBLISHED

Assigner: php

Published: 2023-02-16T06:15:50.127Z

Updated: 2024-08-02T05:17:50.104Z

Reserved: 2023-01-29T07:45:55.380Z

Link: CVE-2023-0567

Vulnrichment

Updated: 2024-07-31T20:13:47.480Z

NVD

Status : Modified

Published: 2023-03-01T08:15:11.530

Modified: 2024-08-01T16:35:02.767

Link: CVE-2023-0567

Redhat

Severity : Low

Publid Date: 2023-02-15T00:00:00Z

Links: CVE-2023-0567 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-0567", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "state": "PUBLISHED", "assignerShortName": "php", "dateReserved": "2023-01-29T07:45:55.380Z", "datePublished": "2023-02-16T06:15:50.127Z", "dateUpdated": "2024-08-02T05:17:50.104Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "PHP", "programRoutines": [{"name": "password_verify"}], "repo": "https://github.com/php/php-src", "vendor": "PHP Group", "versions": [{"lessThan": "8.0.28", "status": "affected", "version": "8.0.x", "versionType": "semver"}, {"lessThan": "8.1.16", "status": "affected", "version": "8.1.x", "versionType": "semver"}, {"lessThan": "8.2.3", "status": "affected", "version": "8.2.x", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "user": "00000000-0000-4000-9000-000000000000", "value": "Tim D\u00fcsterhus"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "tech at mkdgs dot fr"}], "datePublic": "2023-02-13T05:40:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<br><p>In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. </p>"}], "value": "In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.\u00a0\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2023-03-01T05:45:13.020935Z"}, "references": [{"url": "https://bugs.php.net/bug.php?id=81744"}, {"url": "https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4"}], "source": {"discovery": "EXTERNAL"}, "title": "password_verify() always returns true for some invalid hashes", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20230331-0008/"}, {"url": "https://bugs.php.net/bug.php?id=81744", "tags": ["x_transferred"]}, {"url": "https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:17:50.104Z"}}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-916", "lang": "en", "description": "CWE-916 Use of Password Hash With Insufficient Computational Effort"}]}], "affected": [{"vendor": "php_group", "product": "php", "cpes": ["cpe:2.3:a:php_group:php:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:php_group:php:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:php_group:php:8.2.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "8.0.0", "status": "affected", "lessThan": "80.28", "versionType": "semver"}, {"version": "8.1.0", "status": "affected", "lessThan": "8.1.16", "versionType": "semver"}, {"version": "8.2.0", "status": "affected", "lessThan": "8.2.3", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-08-01T15:34:47.733360Z", "id": "CVE-2023-0567", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T15:34:50.014Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20230331-0008/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-07-31T20:13:47.480Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-0567", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-01T15:34:47.733360Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:php_group:php:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:php_group:php:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:php_group:php:8.2.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.0.0", "lessThan": "80.28", "versionType": "semver"}, {"status": "affected", "version": "8.1.0", "lessThan": "8.1.16", "versionType": "semver"}, {"status": "affected", "version": "8.2.0", "lessThan": "8.2.3", "versionType": "semver"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-916", "description": "CWE-916 Use of Password Hash With Insufficient Computational Effort"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T15:34:09.505Z"}}], "cna": {"title": "password_verify() always returns true for some invalid hashes", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "remediation developer", "user": "00000000-0000-4000-9000-000000000000", "value": "Tim D\u00fcsterhus"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "tech at mkdgs dot fr"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/php/php-src", "vendor": "PHP Group", "product": "PHP", "versions": [{"status": "affected", "version": "8.0.x", "lessThan": "8.0.28", "versionType": "semver"}, {"status": "affected", "version": "8.1.x", "lessThan": "8.1.16", "versionType": "semver"}, {"status": "affected", "version": "8.2.x", "lessThan": "8.2.3", "versionType": "semver"}], "defaultStatus": "affected", "programRoutines": [{"name": "password_verify"}]}], "datePublic": "2023-02-13T05:40:00.000Z", "references": [{"url": "https://bugs.php.net/bug.php?id=81744"}, {"url": "https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.\u00a0\n\n", "supportingMedia": [{"type": "text/html", "value": "<br><p>In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. </p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2023-03-01T05:45:13.020935Z"}}}, "cveMetadata": {"cveId": "CVE-2023-0567", "state": "PUBLISHED", "dateUpdated": "2024-08-01T15:34:50.014Z", "dateReserved": "2023-01-29T07:45:55.380Z", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "datePublished": "2023-02-16T06:15:50.127Z", "assignerShortName": "php"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "BBCCD85D-5679-42EE-B6C6-A9A309E2B4BC", "versionEndExcluding": "8.0.28", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "EDC7B443-3E3C-4888-AC9B-7415D2C5C059", "versionEndExcluding": "8.1.16", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C14298C-48A4-4FD8-BFA0-808CF935490B", "versionEndExcluding": "8.2.3", "versionStartIncluding": "8.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.\u00a0\n\n"}], "id": "CVE-2023-0567", "lastModified": "2024-08-01T16:35:02.767", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.2, "source": "security@php.net", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-03-01T08:15:11.530", "references": [{"source": "security@php.net", "tags": ["Vendor Advisory"], "url": "https://bugs.php.net/bug.php?id=81744"}, {"source": "security@php.net", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4"}], "sourceIdentifier": "security@php.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-916"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-916"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:5927", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "php:8.0-8080020231006102311.0b4eb31d", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:5926", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "php-0:8.0.30-1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2024:0387", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "php:8.1-9030020231221080340.9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-01-24T00:00:00Z"}], "bugzilla": {"description": "php: Password_verify() always return true with some hash", "id": "2170771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170771"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-328", "details": ["In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.\u00a0", "A vulnerability was found in PHP. This security flaw occurs when malformatted BCrypt hashes that include a $ within their salt part trigger a buffer overread and may erroneously validate any password as valid."], "name": "CVE-2023-0567", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "php:7.4/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-php73-php", "product_name": "Red Hat Software Collections"}], "public_date": "2023-02-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-0567\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-0567\nhttps://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4"], "threat_severity": "Low"}