{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3823", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "state": "PUBLISHED", "assignerShortName": "php", "dateReserved": "2023-07-21T16:16:57.133Z", "datePublished": "2023-08-11T05:42:25.771Z", "dateUpdated": "2024-08-02T07:08:50.269Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "PHP", "vendor": "PHP Group", "versions": [{"lessThan": "8.0.30", "status": "affected", "version": "8.0.*", "versionType": "semver"}, {"lessThan": "8.1.22", "status": "affected", "version": "8.1.*", "versionType": "semver"}, {"lessThan": "8.2.8", "status": "affected", "version": "8.2.*", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Joas Schilling"}], "datePublic": "2023-08-05T04:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.&nbsp;</span></p>"}], "value": "In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as\u00a0ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.\u00a0\n\n"}], "impacts": [{"capecId": "CAPEC-197", "descriptions": [{"lang": "en", "value": "CAPEC-197 XML Entity Expansion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2023-08-11T05:42:25.771Z"}, "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/"}, {"url": "https://security.netapp.com/advisory/ntap-20230825-0001/"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html"}], "source": {"advisory": "https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j", "discovery": "EXTERNAL"}, "title": "Security issue with external entity loading in XML without enabling it", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Disable external entity loader, e.g. like this:&nbsp;<pre>libxml_set_external_entity_loader(function () { return null; });</pre><br>"}], "value": "Disable external entity loader, e.g. like this:\u00a0libxml_set_external_entity_loader(function () { return null; });\n\n\n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:08:50.269Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230825-0001/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "C516377E-EAA8-4534-B0B8-4BF7A664DDFD", "versionEndExcluding": "8.0.30", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "3DA6AD3E-CB35-4AF2-86E9-3BC831728058", "versionEndExcluding": "8.1.22", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "75AD1BDB-02D7-4727-8F08-8E1F794DB842", "versionEndExcluding": "8.2.9", "versionStartIncluding": "8.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as\u00a0ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.\u00a0\n\n"}, {"lang": "es", "value": "En las versiones de PHP 8.0.* antes de la 8.0.30, 8.1.* antes de la 8.1.22, y 8.2.* antes de la 8.2.8 varias funciones XML se basan en el estado global de libxml para rastrear variables de configuraci\u00f3n, como si las entidades externas est\u00e1n cargadas. Se asume que este estado no cambia a menos que el usuario lo cambie expl\u00edcitamente llamando a la funci\u00f3n apropiada. Sin embargo, dado que el estado es global del proceso, otros m\u00f3dulos - como ImageMagick - pueden tambi\u00e9n usar esta librer\u00eda dentro del mismo proceso, y cambiar ese estado global para sus prop\u00f3sitos internos, y dejarlo en un estado en el que la carga de entidades externas est\u00e9 habilitada. Esto puede llevar a la situaci\u00f3n donde XML externo es analizado con entidades externas cargadas, lo que puede llevar a la divulgaci\u00f3n de cualquier archivo local accesible a PHP. Este estado vulnerable puede persistir en el mismo proceso a trav\u00e9s de muchas peticiones, hasta que el proceso sea cerrado."}], "id": "CVE-2023-3823", "lastModified": "2023-10-27T18:58:56.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security@php.net", "type": "Secondary"}]}, "published": "2023-08-11T06:15:09.283", "references": [{"source": "security@php.net", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr"}, {"source": "security@php.net", "tags": ["Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html"}, {"source": "security@php.net", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230825-0001/"}], "sourceIdentifier": "security@php.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:5927", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "php:8.0-8080020231006102311.0b4eb31d", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:5926", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "php-0:8.0.30-1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2024:0387", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "php:8.1-9030020231221080340.9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-01-24T00:00:00Z"}], "bugzilla": {"description": "php: XML loading external entity without being enabled", "id": "2229396", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229396"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-611", "details": ["In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as\u00a0ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.\u00a0", "A flaw was found in PHP due to inadequate validation of user-supplied XML input. By leveraging specially crafted XML code, a remote attacker could obtain sensitive information by viewing the contents of arbitrary files on the system or initiating requests to external systems. This issue may allow unauthorized access to sensitive data and the potential for network scanning of internal and external infrastructure."], "mitigation": {"lang": "en:us", "value": "To avoid XML external entity attacks, either disable external entity loading if it's not necessary for your application or change the default external entity loader by using `libxml_set_external_entity_loader`. This can be used to suppress the expansion of arbitrary external entities. For PHP versions prior to 8.0, the following should be set when using the default PHP XML parser in order to prevent XXE:\nhttps://www.php.net/manual/en/function.libxml-set-external-entity-loader.php"}, "name": "CVE-2023-3823", "package_state": [{"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "php", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "php", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "php:7.4/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "fix_state": "Not affected", "package_name": "php", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-php73-php", "product_name": "Red Hat Software Collections"}], "public_date": "2023-08-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-3823\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-3823\nhttps://github.com/php/php-src/commit/c283c3ab0ba45d21b2b8745c1f9c7cbfe771c975\nhttps://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr\nhttps://www.php.net/ChangeLog-8.php#8.0.30"], "statement": "Every application/library/server that is parsing/interacting with XML documents is affected.", "threat_severity": "Moderate", "upstream_fix": "php 8.2.9, php 8.1.22, php 8.0.30"}