In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.
References
Link | Resource |
---|---|
https://bugs.php.net/bug.php?id=81744 | Vendor Advisory |
https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4 | Exploit Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
07 Nov 2023, 04:00
Type | Values Removed | Values Added |
---|---|---|
Summary | In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. |
Information
Published : 2023-03-01 08:15
Updated : 2024-08-01 16:35
NVD link : CVE-2023-0567
Mitre link : CVE-2023-0567
CVE.ORG link : CVE-2023-0567
JSON object : View
Products Affected
php
- php
CWE
CWE-916
Use of Password Hash With Insufficient Computational Effort