CVE-2023-0662
DoS vulnerability when parsing multipart request body
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.
A vulnerability was found in PHP. This security flaw occurs when the request body parsing in PHP allows any unauthenticated attacker to consume a large amount of CPU time and trigger excessive logging. A large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow the processing of legitimate user requests. The large volume of warning messages can wear down the disk and fill it up. A complete denial of service is achievable by sending many concurrent multipart requests in a loop. PHP parses the request body before invoking any application scripts. This vulnerability affects all PHP websites that accept POST request bodies (post_max_size set to a value greater than zero, the default value is 8MB).
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-02-03 CVE Reserved
- 2023-02-16 CVE Published
- 2024-08-02 CVE Updated
- 2024-09-08 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-779: Logging of Excessive Data
CAPEC
- CAPEC-130: Excessive Allocation
References (4)
URL | Tag | Source |
---|---|---|
https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv | Third Party Advisory | |
https://security.netapp.com/advisory/ntap-20230517-0001 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2023-0662 | 2024-01-24 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2170761 | 2024-01-24 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Php Search vendor "Php" | Php Search vendor "Php" for product "Php" | >= 8.0.0 < 8.0.28 Search vendor "Php" for product "Php" and version " >= 8.0.0 < 8.0.28" | - |
Affected
| ||||||
Php Search vendor "Php" | Php Search vendor "Php" for product "Php" | >= 8.1.0 < 8.1.16 Search vendor "Php" for product "Php" and version " >= 8.1.0 < 8.1.16" | - |
Affected
| ||||||
Php Search vendor "Php" | Php Search vendor "Php" for product "Php" | >= 8.2.0 < 8.2.3 Search vendor "Php" for product "Php" and version " >= 8.2.0 < 8.2.3" | - |
Affected
|