CVE-2024-3096

Updated: 2024-04-29 21:07:36.105629

Description:

In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x NONE 0
CVSS Version 3.x MEDIUM 4.8

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement

AlmaLinux 9.2 ESU php 8.0.30 4.8 MEDIUM Released CLSA-2025:1738691753 2025-02-05 02:56:20
CentOS 6 ELS php 5.3.3 4.8 MEDIUM Not Vulnerable 2024-04-25 21:42:09
CentOS 7 ELS php 5.4.16 4.8 MEDIUM Ignored 2024-04-16 04:55:32
CentOS 8.4 ELS php 7.4.6 4.8 MEDIUM Released CLSA-2025:1736284875 2025-01-08 00:36:57
CentOS 8.5 ELS php 7.4.19 4.8 MEDIUM Released CLSA-2024:1735161696 2024-12-26 23:24:57
CentOS Stream 8 ELS php 7.2.24 4.8 MEDIUM Released CLSA-2024:1735310755 2024-12-27 22:23:56
CloudLinux 6 ELS php 5.3.3 4.8 MEDIUM Not Vulnerable 2024-04-25 21:42:09
Oracle Linux 6 ELS php 5.3.3 4.8 MEDIUM Not Vulnerable 2024-04-25 21:42:09
Ubuntu 16.04 ELS php 7.0.33 4.8 MEDIUM Released CLSA-2024:1714066065 2024-04-25 21:42:09
Ubuntu 18.04 ELS php 7.2.24-0 4.8 MEDIUM Released CLSA-2024:1714066325 2024-04-25 21:42:10