CVE-2024-3096 - OpenCVE

In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/04/12/11
https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr
https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html
https://nvd.nist.gov/vuln/detail/CVE-2024-3096
https://security.netapp.com/advisory/ntap-20240510-0010/
https://www.cve.org/CVERecord?id=CVE-2024-3096

History

No history.

MITRE

Status: PUBLISHED

Assigner: php

Published: 2024-04-29T03:42:04.093Z

Updated: 2024-08-01T19:32:42.742Z

Reserved: 2024-03-29T16:57:27.435Z

Link: CVE-2024-3096

Vulnrichment

Updated: 2024-08-01T19:32:42.742Z

NVD

Status : Awaiting Analysis

Published: 2024-04-29T04:15:08.350

Modified: 2024-06-10T18:15:36.050

Link: CVE-2024-3096

Redhat

Severity : Low

Publid Date: 2024-04-12T00:00:00Z

Links: CVE-2024-3096 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-3096", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "state": "PUBLISHED", "assignerShortName": "php", "dateReserved": "2024-03-29T16:57:27.435Z", "datePublished": "2024-04-29T03:42:04.093Z", "dateUpdated": "2024-08-01T19:32:42.742Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "PHP", "vendor": "PHP Group", "versions": [{"lessThan": "8.1.28", "status": "affected", "version": "8.1.*", "versionType": "semver"}, {"lessThan": "8.2.18", "status": "affected", "version": "8.2.*", "versionType": "semver"}, {"lessThan": "8.3.5", "status": "affected", "version": "8.3.*", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Eric Stern"}], "datePublic": "2024-04-11T22:59:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.</p>"}], "value": "In PHP\u00a0 version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if\u00a0a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.\n\n"}], "impacts": [{"capecId": "CAPEC-52", "descriptions": [{"lang": "en", "value": "CAPEC-52 Embedding NULL Bytes"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-04-29T03:42:04.093Z"}, "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0010/"}], "source": {"advisory": "https://github.com/php/php-src/security/advisories/GHSA-h746-cjr", "discovery": "EXTERNAL"}, "title": "PHP function password_verify can erroneously return true when argument contains NUL", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Pre-filter potential password strings to ensure they do not contain NUL bytes. "}], "value": "Pre-filter potential password strings to ensure they do not contain NUL bytes.\u00a0"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3096", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-29T15:14:15.199723Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:php_group:php:8.1.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.1.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:php_group:php:8.2.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.2.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:php_group:php:8.3.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.3.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:32:24.609Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:32:42.742Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0010/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0010/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:32:42.742Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3096", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-29T15:14:15.199723Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:php_group:php:8.1.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.1.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:php_group:php:8.2.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.2.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:php_group:php:8.3.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.3.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-29T15:17:34.528Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "PHP function password_verify can erroneously return true when argument contains NUL", "source": {"advisory": "https://github.com/php/php-src/security/advisories/GHSA-h746-cjr", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Eric Stern"}], "impacts": [{"capecId": "CAPEC-52", "descriptions": [{"lang": "en", "value": "CAPEC-52 Embedding NULL Bytes"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "PHP Group", "product": "PHP", "versions": [{"status": "affected", "version": "8.1.*", "lessThan": "8.1.28", "versionType": "semver"}, {"status": "affected", "version": "8.2.*", "lessThan": "8.2.18", "versionType": "semver"}, {"status": "affected", "version": "8.3.*", "lessThan": "8.3.5", "versionType": "semver"}], "defaultStatus": "affected"}], "datePublic": "2024-04-11T22:59:00.000Z", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0010/"}], "workarounds": [{"lang": "en", "value": "Pre-filter potential password strings to ensure they do not contain NUL bytes.\u00a0", "supportingMedia": [{"type": "text/html", "value": "Pre-filter potential password strings to ensure they do not contain NUL bytes. ", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "In PHP\u00a0 version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if\u00a0a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-04-29T03:42:04.093Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3096", "state": "PUBLISHED", "dateUpdated": "2024-08-01T19:32:42.742Z", "dateReserved": "2024-03-29T16:57:27.435Z", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "datePublished": "2024-04-29T03:42:04.093Z", "assignerShortName": "php"}, "dataVersion": "5.1"}

{"bugzilla": {"description": "php: password_verify can erroneously return true, opening ATO risk", "id": "2275061", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2275061"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-626", "details": ["In PHP\u00a0 version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if\u00a0a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.", "A null byte interaction error vulnerability was found in PHP. If a password stored with password_hash starts with a null byte (\\x00), testing a blank string as the password via password_verify will incorrectly return true. If a user can create a password with a leading null byte (unlikely, but syntactically valid), an attacker could trivially compromise the victim's account by attempting to sign in with a blank string."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-3096", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "php:7.4/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "php:8.0/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "php:8.2/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "php", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "php:8.1/php", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "php:8.2/php", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-3096\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-3096\nhttps://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr"], "statement": "The identified issue with password_verify treating a null byte (\\x00) at the beginning of a stored hash as the end of the string, leading to incorrect verification of a blank password, is categorized as low severity due to its narrow exploitability and specific conditions required for successful exploitation. The presence of a null byte in the password is uncommon and unlikely to occur under normal user input or system-generated password scenarios. Additionally, modern web applications typically employ input validation and strict password policies that would prevent the creation of passwords with null byte prefixes.", "threat_severity": "Low", "upstream_fix": "php 8.1.28, php 8.2.18, php 8.3.6"}