Fluid Attacks Database

Description

phpseclib Infinite Loop vulnerability Math/PrimeField.php in phpseclib has an infinite loop with composite primefields. This vulnerability was introduced in version 3.0.0, and has been patched in 3.0.19. The CVE for this issue originally identified the the vulnerable version as 2.x, however, the vulnerable functionality was not introduced until version 3.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	php-phpseclib3	>=0 <3.0.19-1	3.0.19-1
packagist	phpseclib/phpseclib	>=3.0.0 <3.0.19	3.0.19
debian 13	php-phpseclib3	>=0 <3.0.19-1	3.0.19-1
debian 14	php-phpseclib3	>=0 <3.0.19-1	3.0.19-1

Aliases

1. CVE-2023-275602. NVD-2023-275603. OSV-DEBIAN-2023-275604. OSV-2023-275605. GCVE-2023-275606. SECURITY-TRACKER-CVE-2023-27560

References

1. https://github.com/phpseclib/phpseclib/commit/6298d1cd55c3ffa44533bd41906caec246b604402. https://github.com/phpseclib/phpseclib/commit/6298d1cd55c3ffa44533bd41906caec246b60440#commitcomment-1032267223. https://github.com/FriendsOfPHP/security-advisories/blob/master/phpseclib/phpseclib/CVE-2023-27560.yaml4. https://github.com/phpseclib/phpseclib/releases/tag/3.0.19