CVE-2023-0567

Updated: 2024-11-30 03:40:10.52385

Description:

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. 


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x MEDIUM 6.2

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement

AlmaLinux 9.2 ESU php 8.0.30 6.2 MEDIUM Needs Triage 2025-01-08 23:25:37
CentOS 6 ELS php 5.3.3 6.2 MEDIUM Released CLSA-2023:1678395661 2023-03-20 14:05:03 Will not fix: low score
CentOS 7 ELS php 5.4.16 6.2 MEDIUM Ignored 2024-01-21 08:36:30 Will not fix: low score
CentOS 8.4 ELS php 7.4.6 6.2 MEDIUM Released CLSA-2023:1679350071 2023-03-20 21:14:31 Will not fix: low score
CentOS 8.5 ELS php 7.4.19 6.2 MEDIUM Released CLSA-2023:1679350425 2023-03-20 21:14:31 Will not fix: low score
CentOS Stream 8 ELS php 7.2.24 6.2 MEDIUM Released CLSA-2024:1735311613 2024-12-28 22:37:36
CloudLinux 6 ELS php 5.3.3 6.2 MEDIUM Released CLSA-2023:1678395833 2023-03-20 17:04:57 Will not fix: low score
Oracle Linux 6 ELS php 5.3.3 6.2 MEDIUM Released CLSA-2023:1678396156 2023-03-09 20:03:01 Will not fix: low score
Ubuntu 16.04 ELS php 7.0.33 6.2 MEDIUM Released CLSA-2023:1677784124 2023-03-02 16:04:10 Will not fix: low score
Ubuntu 18.04 ELS php 7.2.24-0 6.2 MEDIUM Already Fixed 2023-11-08 04:14:51 Will not fix: low score