{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-3096", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "state": "PUBLISHED", "assignerShortName": "php", "dateReserved": "2024-03-29T16:57:27.435Z", "datePublished": "2024-04-29T03:42:04.093Z", "dateUpdated": "2025-02-13T17:47:50.089Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "PHP", "vendor": "PHP Group", "versions": [{"lessThan": "8.1.28", "status": "affected", "version": "8.1.*", "versionType": "semver"}, {"lessThan": "8.2.18", "status": "affected", "version": "8.2.*", "versionType": "semver"}, {"lessThan": "8.3.5", "status": "affected", "version": "8.3.*", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Eric Stern"}], "datePublic": "2024-04-11T22:59:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In PHP&nbsp; version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if&nbsp;a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.</p>"}], "value": "In PHP\u00a0 version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if\u00a0a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true."}], "impacts": [{"capecId": "CAPEC-52", "descriptions": [{"lang": "en", "value": "CAPEC-52 Embedding NULL Bytes"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-06-10T17:09:44.676Z"}, "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0010/"}], "source": {"advisory": "https://github.com/php/php-src/security/advisories/GHSA-h746-cjr", "discovery": "EXTERNAL"}, "title": "PHP function password_verify can erroneously return true when argument contains NUL", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Pre-filter potential password strings to ensure they do not contain NUL bytes.&nbsp;"}], "value": "Pre-filter potential password strings to ensure they do not contain NUL bytes."}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3096", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-29T15:14:15.199723Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:php_group:php:8.1.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.1.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:php_group:php:8.2.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.2.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:php_group:php:8.3.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.3.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:32:24.609Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:32:42.742Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0010/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0010/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:32:42.742Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3096", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-29T15:14:15.199723Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:php_group:php:8.1.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.1.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:php_group:php:8.2.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.2.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:php_group:php:8.3.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.3.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-29T15:17:34.528Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "PHP function password_verify can erroneously return true when argument contains NUL", "source": {"advisory": "https://github.com/php/php-src/security/advisories/GHSA-h746-cjr", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Eric Stern"}], "impacts": [{"capecId": "CAPEC-52", "descriptions": [{"lang": "en", "value": "CAPEC-52 Embedding NULL Bytes"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "PHP Group", "product": "PHP", "versions": [{"status": "affected", "version": "8.1.*", "lessThan": "8.1.28", "versionType": "semver"}, {"status": "affected", "version": "8.2.*", "lessThan": "8.2.18", "versionType": "semver"}, {"status": "affected", "version": "8.3.*", "lessThan": "8.3.5", "versionType": "semver"}], "defaultStatus": "affected"}], "datePublic": "2024-04-11T22:59:00.000Z", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0010/"}], "workarounds": [{"lang": "en", "value": "Pre-filter potential password strings to ensure they do not contain NUL bytes.\u00a0", "supportingMedia": [{"type": "text/html", "value": "Pre-filter potential password strings to ensure they do not contain NUL bytes.&nbsp;", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "In PHP\u00a0 version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if\u00a0a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>In PHP&nbsp; version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if&nbsp;a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-04-29T03:42:04.093Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3096", "state": "PUBLISHED", "dateUpdated": "2024-08-01T19:32:42.742Z", "dateReserved": "2024-03-29T16:57:27.435Z", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "datePublished": "2024-04-29T03:42:04.093Z", "assignerShortName": "php"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In PHP\u00a0 version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if\u00a0a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true."}, {"lang": "es", "value": "En la versi\u00f3n PHP 8.1.* anterior a 8.1.28, 8.2.* anterior a 8.2.18, 8.3.* anterior a 8.3.5, si una contrase\u00f1a almacenada con contrase\u00f1a_hash() comienza con un byte nulo (\\x00), se prueba una cadena en blanco como la contrase\u00f1a a trav\u00e9s de contrase\u00f1a_verify() devolver\u00e1 verdadero incorrectamente."}], "id": "CVE-2024-3096", "lastModified": "2025-02-13T18:18:09.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@php.net", "type": "Secondary"}]}, "published": "2024-04-29T04:15:08.350", "references": [{"source": "security@php.net", "url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"source": "security@php.net", "url": "https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr"}, {"source": "security@php.net", "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html"}, {"source": "security@php.net", "url": "https://security.netapp.com/advisory/ntap-20240510-0010/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240510-0010/"}], "sourceIdentifier": "security@php.net", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@php.net", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:10951", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "php:8.2-8100020241112130045.f7998665", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-11T00:00:00Z"}, {"advisory": "RHSA-2024:10952", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "php:7.4-8100020241113075828.f7998665", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-11T00:00:00Z"}, {"advisory": "RHSA-2024:10949", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "php:8.2-9050020241112094217.9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-11T00:00:00Z"}, {"advisory": "RHSA-2024:10950", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "php:8.1-9050020241112144108.9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-11T00:00:00Z"}], "bugzilla": {"description": "php: password_verify can erroneously return true, opening ATO risk", "id": "2275061", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2275061"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-626", "details": ["In PHP\u00a0 version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if\u00a0a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.", "A null byte interaction error vulnerability was found in PHP. If a password stored with password_hash starts with a null byte (\\x00), testing a blank string as the password via password_verify will incorrectly return true. If a user can create a password with a leading null byte (unlikely, but syntactically valid), an attacker could trivially compromise the victim's account by attempting to sign in with a blank string."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-3096", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "php:8.0/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "php", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-3096\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-3096\nhttps://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr"], "statement": "The identified issue with password_verify treating a null byte (\\x00) at the beginning of a stored hash as the end of the string, leading to incorrect verification of a blank password, is categorized as low severity due to its narrow exploitability and specific conditions required for successful exploitation. The presence of a null byte in the password is uncommon and unlikely to occur under normal user input or system-generated password scenarios. Additionally, modern web applications typically employ input validation and strict password policies that would prevent the creation of passwords with null byte prefixes.", "threat_severity": "Low", "upstream_fix": "php 8.1.28, php 8.2.18, php 8.3.6"}