CVE-2024-3096 PHP function password_verify can erroneously return true when argument contains NUL

2024-04-2903:42:04

CWE-20

php

www.cve.org

cve-2024-3096

php

password_verify

nul

8.1

8.2

8.3

password_hash

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.6%

JSON

In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "PHP",
    "vendor": "PHP Group",
    "versions": [
      {
        "lessThan": "8.1.28",
        "status": "affected",
        "version": "8.1.*",
        "versionType": "semver"
      },
      {
        "lessThan": "8.2.18",
        "status": "affected",
        "version": "8.2.*",
        "versionType": "semver"
      },
      {
        "lessThan": "8.3.5",
        "status": "affected",
        "version": "8.3.*",
        "versionType": "semver"
      }
    ]
  }
]