Blank Password String Can Trigger False Positive Matches in PHP password_verify()
CVE-2024-3096

6.5MEDIUM

Key Information:

Vendor: PHP Group
Status: PHP
Vendor: CVE Published:; 29 April 2024

Badges

💰 Ransomware👾 Exploit Exists📰 News Worthy

Summary

In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.

Affected Version(s)

PHP 8.1.*

PHP 8.1.* < 8.1.28

PHP 8.2.* < 8.2.18

News Articles

Linux Security

CVE-2024-1874 CVE-2024-3096

Mageia 2024-0132: php Security Advisory Updates | LinuxSecurity.com

Mageia 2024-0132: php Security Advisory Updates - MGASA-2024-0132Updated php packages fix security vulnerabilities Publication date: 13 Apr 2024 URL:

References

https://github.com/php/php-src/security/advisories/GHSA-h...

http://www.openwall.com/lists/oss-security/2024/04/12/11

https://lists.debian.org/debian-lts-announce/2024/05/msg0...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

💰
Used in Ransomware
May 3, 2024
👾
Exploit known to exist
May 3, 2024
Vulnerability published
Apr 29, 2024
📰
First article discovered by Linux Security
Apr 16, 2024

Credit

Eric Stern