CVE-2024-3096
29.04.2024, 04:15
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, ifa password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.Enginsight
| Vendor | Product | Version |
|---|---|---|
| php | php | 8.1.0 ≤ 𝑥 < 8.1.28 |
| php | php | 8.2.0 ≤ 𝑥 < 8.2.18 |
| php | php | 8.3.0 ≤ 𝑥 < 8.3.5 |
| debian | debian_linux | 10.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| php5 |
| ||||||||||||||||||
| php7.0 |
| ||||||||||||||||||
| php7.2 |
| ||||||||||||||||||
| php7.4 |
| ||||||||||||||||||
| php8.1 |
| ||||||||||||||||||
| php8.2 |
| ||||||||||||||||||
| php8.3 |
|
Common Weakness Enumeration
References