CVE-2024-3096

Severity CVSS v4.0:

Pending analysis

Type:

CWE-20 Input Validation

Publication date:

29/04/2024

Last modified:

13/02/2025

Description

In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 6.50 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): None

Base Score 3.x

6.50

Severity 3.x

MEDIUM

References to Advisories, Solutions, and Tools

http://www.openwall.com/lists/oss-security/2024/04/12/11
https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr
https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html
https://security.netapp.com/advisory/ntap-20240510-0010/
http://www.openwall.com/lists/oss-security/2024/04/12/11
https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr
https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html
https://security.netapp.com/advisory/ntap-20240510-0010/