CVE-2024-3096

PHP function password_verify can erroneously return true when argument contains NUL

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.

En la versión PHP 8.1.* anterior a 8.1.28, 8.2.* anterior a 8.2.18, 8.3.* anterior a 8.3.5, si una contraseña almacenada con contraseña_hash() comienza con un byte nulo (\x00), se prueba una cadena en blanco como la contraseña a través de contraseña_verify() devolverá verdadero incorrectamente.

*Credits: Eric Stern

CVSS Scores

PHP Groupv3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-03-29 CVE Reserved
2024-04-16 CVE Published
2024-05-08 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

CAPEC-52: Embedding NULL Bytes

References (4)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/04/12/11
https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr
https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html
https://security.netapp.com/advisory/ntap-20240510-0010

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
PHP Group Search vendor "PHP Group"		PHP Search vendor "PHP Group" for product "PHP"				>= 8.1.0 < 8.1.28 Search vendor "PHP Group" for product "PHP" and version " >= 8.1.0 < 8.1.28"		en		Affected
PHP Group Search vendor "PHP Group"		PHP Search vendor "PHP Group" for product "PHP"				>= 8.2.0 < 8.2.18 Search vendor "PHP Group" for product "PHP" and version " >= 8.2.0 < 8.2.18"		en		Affected
PHP Group Search vendor "PHP Group"		PHP Search vendor "PHP Group" for product "PHP"				>= 8.3.0 < 8.3.5 Search vendor "PHP Group" for product "PHP" and version " >= 8.3.0 < 8.3.5"		en		Affected