logo

Database

Asymmetric denial of service In phpseclib/phpseclib

Description

Phpseclib needs guardrails on large binaryfield integers

Impact

Anyone loading untrusted ASN1 files (eg. X509 certificates, RSA PKCS8 private or public keys, etc)

Patches

https://github.com/phpseclib/phpseclib/commit/964d78101a70305df33f442f5490f0adb3b7e77f

Workarounds

No.

References

https://github.com/phpseclib/phpseclib/commit/964d78101a70305df33f442f5490f0adb3b7e77f https://www.usenix.org/system/files/usenixsecurity25-shi-bing.pdf

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-493162. NVD-2023-493163. OSV-2023-493164. OSV-DEBIAN-2023-493165. GHSA-2f25-pfq3-c7h86. GCVE-2023-493167. SECURITY-TRACKER-CVE-2023-49316

References

1. https://github.com/phpseclib/phpseclib/security/advisories/GHSA-2f25-pfq3-c7h82. https://github.com/phpseclib/phpseclib/commit/964d78101a70305df33f442f5490f0adb3b7e77f3. https://github.com/FriendsOfPHP/security-advisories/blob/master/phpseclib/phpseclib/CVE-2023-49316.yaml4. https://github.com/phpseclib/phpseclib/releases/tag/3.0.34

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.