Fluid Attacks Database

Description

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	php7.4	=7.4.21-1+deb11u1 \|\| =7.4.25-1+deb11u1 \|\| =7.4.26-1 \|\| =7.4.28-1+deb11u1 \|\| =7.4.30-1+deb11u1 \|\| =7.4.33-1+deb11u1 \|\| >=0 <7.4.33-1+deb11u3	7.4.33-1+deb11u3
debian 12	php8.2	>=0 <8.2.4-1	8.2.4-1
rpm rhel7	php	-	-
rpm rhel6	php	-	-
rpm rhel8	php	-	-
rpm rhel9	php	<0:8.0.30-1.el9_2	0:8.0.30-1.el9_2

Aliases

1. CVE-2023-05682. NVD-2023-05683. OSV-DEBIAN-2023-05684. OSV-2023-05685. SECURITY-TRACKER-CVE-2023-0568

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.