CVE-2023-3824

EUVD-2023-44452
In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.4 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
phpCNA
9.4 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 96%
Affected Products (NVD)
VendorProductVersion
phpphp
8.0.0 ≤
𝑥
< 8.0.30
phpphp
8.1.0 ≤
𝑥
< 8.1.22
phpphp
8.2.0 ≤
𝑥
< 8.2.9
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
php7.4
bookworm
postponed
bullseye
7.4.33-1+deb11u5
fixed
bullseye (security)
7.4.33-1+deb11u7
fixed
php8.2
bookworm
8.2.24-1~deb12u1
postponed
bookworm (security)
8.2.26-1~deb12u1
fixed
sid
8.2.27-1
fixed
trixie
8.2.27-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
php5
bionic
dne
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
oracular
dne
trusty
ignored
xenial
dne
php7.0
bionic
dne
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
oracular
dne
trusty
dne
xenial
Fixed 7.0.33-0ubuntu0.16.04.16+esm8
released
php7.2
bionic
Fixed 7.2.24-0ubuntu0.18.04.17+esm2
released
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
oracular
dne
trusty
dne
xenial
dne
php7.4
bionic
dne
focal
Fixed 7.4.3-4ubuntu2.20
released
jammy
dne
lunar
dne
mantic
dne
noble
dne
oracular
dne
trusty
dne
xenial
dne
php8.1
bionic
dne
focal
dne
jammy
Fixed 8.1.2-1ubuntu2.14
released
lunar
Fixed 8.1.12-1ubuntu4.3
released
mantic
dne
noble
dne
oracular
dne
trusty
dne
xenial
dne
php8.2
bionic
ignored
focal
dne
jammy
dne
lunar
dne
mantic
not-affected
noble
dne
oracular
dne
trusty
ignored
xenial
ignored
Common Weakness Enumeration
References
https://github.com/php/php-src/security/advisories/GHSA-jqcx-ccgc-xwhv
https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/
https://security.netapp.com/advisory/ntap-20230825-0001/
https://github.com/php/php-src/security/advisories/GHSA-jqcx-ccgc-xwhv
https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/
https://security.netapp.com/advisory/ntap-20230825-0001/