CVE-2023-0567 - Use of Password Hash With Insufficient Computational Effort

Severity

62%

Complexity

25%

Confidentiality

60%

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. 

CVSS 3.1 Base Score 6.2. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Overview

First reported 1 year ago

2023-03-01 08:15:00

Last updated 1 year ago

2023-11-07 04:00:00

Affected Software

PHP PHP

References

https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4

https://bugs.php.net/bug.php?id=81744

https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4

Exploit, Vendor Advisory

https://bugs.php.net/bug.php?id=81744

Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.