Updated: 2024-04-29 21:07:36.105629
Description:
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | NONE | 0 |
CVSS Version 3.x | MEDIUM | 4.8 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated |
---|---|---|---|---|---|---|---|
EL 6 PHP | php | 8.0 | 4.8 | MEDIUM | In Testing | 2024-05-14 11:16:21 | |
EL 6 PHP | php | 7.2 | 4.8 | MEDIUM | In Testing | 2024-05-14 11:16:26 | |
EL 6 PHP | php | 5.6 | 4.8 | MEDIUM | In Testing | 2024-05-14 11:16:18 | |
EL 6 PHP | php | 7.4 | 4.8 | MEDIUM | In Testing | 2024-05-14 11:16:22 | |
EL 6 PHP | php | 7.3 | 4.8 | MEDIUM | In Testing | 2024-05-14 11:16:26 | |
EL 6 PHP | php | 7.1 | 4.8 | MEDIUM | In Testing | 2024-05-14 11:16:17 | |
EL 6 PHP | php | 5.5 | 4.8 | MEDIUM | In Testing | 2024-05-14 11:16:21 | |
EL 6 PHP | php | 7.0 | 4.8 | MEDIUM | In Testing | 2024-05-14 11:16:18 | |
EL 6 PHP | php | 5.3 | 4.8 | MEDIUM | Not Vulnerable | 2024-05-08 10:07:17 | |
EL 6 PHP | php | 5.2 | 4.8 | MEDIUM | Not Vulnerable | 2024-05-08 10:07:17 |