Description
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
Mitigation
Minimal update. May introduce new vulnerabilities or breaking changes.
|
 debian 11 | | =7.4.21-1+deb11u1 || =7.4.25-1+deb11u1 || =7.4.26-1 || =7.4.28-1+deb11u1 || =7.4.30-1+deb11u1 || =7.4.33-1+deb11u1 || =7.4.33-1+deb11u3 || =7.4.33-1+deb11u4 || >=0 <7.4.33-1+deb11u5 | 7.4.33-1+deb11u5 |
debian 12 | | =8.2.10-1 || =8.2.10-2 || =8.2.12-1 || =8.2.16-1 || =8.2.16-2 || =8.2.17-1 || =8.2.5-2 || =8.2.7-1 || =8.2.7-1.1 || =8.2.7-1.2 || =8.2.7-1~deb12u1 || >=0 <8.2.18-1~deb12u1 | 8.2.18-1~deb12u1 |
 rpm rhel7 | | - | - |
rpm rhel9 | | | 0:8.0.30-2.el9 |
rpm rhel6 | | - | - |
rpm rhel8 | | <0:7.4.33-2.module+el8.10.0+22485+a3539972 | 0:7.4.33-2.module+el8.10.0+22485+a3539972 |
