CVE-2023-0567

MEDIUM6.2EPSS 0.14%

password_verify() always returns true for some invalid hashes

發布日:2023/3/1修改日:2026/4/28

描述

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.

受影響套件(5)

Bitnami/libphp>= 8.0.0, < 8.0.28, >= 8.1.0, < 8.1.16, >= 8.2.0, < 8.2.3
Bitnami/php>= 8.0.0, < 8.0.28, >= 8.1.0, < 8.1.16, >= 8.2.0, < 8.2.3
Bitnami/php-min>= 8.0.0, < 8.0.28, >= 8.1.0, < 8.1.16, >= 8.2.0, < 8.2.3
Debian/php7.4from 0, < 7.4.33-1+deb11u3
Debian/php8.2from 0, < 8.2.4-1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.2	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

參考連結(5)

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-0567
WEBhttps://bugs.php.net/bug.php?id=81744
WEBhttps://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2023-0567
WEBhttps://security.netapp.com/advisory/ntap-20230331-0008/