CVE-2023-0567

Summary

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.

Affected Software

VendorProductVersion RangeStatus
PHP GroupPHP8.0.x < 8.0.28affected
PHP GroupPHP8.1.x < 8.1.16affected
PHP GroupPHP8.2.x < 8.2.3affected

Weaknesses

  • n/a

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References