Fluid Attacks Database

Description

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	php8.2	>=0 <8.2.4-1	8.2.4-1
debian 11	php7.4	=7.4.21-1+deb11u1 \|\| =7.4.25-1+deb11u1 \|\| =7.4.26-1 \|\| =7.4.28-1+deb11u1 \|\| =7.4.30-1+deb11u1 \|\| =7.4.33-1+deb11u1 \|\| >=0 <7.4.33-1+deb11u3	7.4.33-1+deb11u3
rpm rhel6	php	-	-
rpm rhel7	php	-	-
rpm rhel8	php	<0:7.4.33-2.module+el8.10.0+22485+a3539972	0:7.4.33-2.module+el8.10.0+22485+a3539972
rpm rhel9	php	<0:8.0.30-1.el9_2	0:8.0.30-1.el9_2

Aliases

1. CVE-2023-05672. NVD-2023-05673. OSV-DEBIAN-2023-05674. OSV-2023-05675. SECURITY-TRACKER-CVE-2023-0567

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.