CVE-2023-3824
Buffer overflow and overread in phar_dir_read()
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
7Exploited in Wild
-Decision
Descriptions
In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.
En PHP versión 8.0.* antes de 8.0.30, 8.1.* antes de 8.1.22, y 8.2.* antes de 8.2.8, al cargar el archivo phar, mientras se leen las entradas del directorio PHAR, una comprobación de longitud insuficiente puede conducir a un desbordamiento del búfer de pila, llevando potencialmente a corrupción de memoria o RCE.
A flaw was found in PHP that can lead to a buffer overflow and a stack information leak due to improper bounds checking within the phar_dir_read() function. This issue may allow an attacker to initiate memory corruption by compelling the application to open a specially crafted .phar archive, allowing the attacker to corrupt memory or cause a denial of service condition.
It was discovered that PHP incorrectly handled certain XML files. An attacker could possibly use this issue to expose sensitive information. It was discovered that PHP incorrectly handled certain PHAR files. An attacker could possibly use this issue to cause a crash, expose sensitive information or execute arbitrary code.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-07-21 CVE Reserved
- 2023-08-11 CVE Published
- 2024-03-10 First Exploit
- 2025-02-13 CVE Updated
- 2025-05-08 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
- CAPEC-100: Overflow Buffers
References (12)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html | Mailing List |
|
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20230825-0001 | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/jhonnybonny/CVE-2023-3824 | 2024-03-18 | |
| https://github.com/m1sn0w/CVE-2023-3824 | 2024-07-19 | |
| https://github.com/Starla2u/CVE-2023-3824-PHP-to-RCE-LockBit-LEAK | 2024-03-10 | |
| https://github.com/fr33c0d3/poc-cve-2023-3824 | 2025-01-08 | |
| https://github.com/bluefish3r/poc-cve | 2025-01-11 | |
| https://github.com/exploitdevelop/CVE-2023-3824 | 2025-02-10 | |
| https://github.com/php/php-src/security/advisories/GHSA-jqcx-ccgc-xwhv | 2025-02-13 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-3824 | 2024-12-11 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2230101 | 2024-12-11 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Php Search vendor "Php" | Php Search vendor "Php" for product "Php" | >= 8.0.0 < 8.0.30 Search vendor "Php" for product "Php" and version " >= 8.0.0 < 8.0.30" | - |
Affected
| ||||||
| Php Search vendor "Php" | Php Search vendor "Php" for product "Php" | >= 8.1.0 < 8.1.22 Search vendor "Php" for product "Php" and version " >= 8.1.0 < 8.1.22" | - |
Affected
| ||||||
| Php Search vendor "Php" | Php Search vendor "Php" for product "Php" | >= 8.2.0 < 8.2.9 Search vendor "Php" for product "Php" and version " >= 8.2.0 < 8.2.9" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 38 Search vendor "Fedoraproject" for product "Fedora" and version "38" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||