Описание
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
A null byte interaction error vulnerability was found in PHP. If a password stored with password_hash starts with a null byte (\x00), testing a blank string as the password via password_verify will incorrectly return true. If a user can create a password with a leading null byte (unlikely, but syntactically valid), an attacker could trivially compromise the victim's account by attempting to sign in with a blank string.
Отчет
The identified issue with password_verify treating a null byte (\x00) at the beginning of a stored hash as the end of the string, leading to incorrect verification of a blank password, is categorized as low severity due to its narrow exploitability and specific conditions required for successful exploitation. The presence of a null byte in the password is uncommon and unlikely to occur under normal user input or system-generated password scenarios. Additionally, modern web applications typically employ input validation and strict password policies that would prevent the creation of passwords with null byte prefixes.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | php | Out of support scope | ||
| Red Hat Enterprise Linux 7 | php | Out of support scope | ||
| Red Hat Enterprise Linux 8 | php:8.0/php | Fix deferred | ||
| Red Hat Enterprise Linux 8 | php | Fixed | RHSA-2024:10951 | 11.12.2024 |
| Red Hat Enterprise Linux 8 | php | Fixed | RHSA-2024:10952 | 11.12.2024 |
| Red Hat Enterprise Linux 9 | php | Fixed | RHSA-2024:10949 | 11.12.2024 |
| Red Hat Enterprise Linux 9 | php | Fixed | RHSA-2024:10950 | 11.12.2024 |
| Red Hat Enterprise Linux 9 | php | Fixed | RHSA-2025:7315 | 13.05.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.8 Medium
CVSS3
Связанные уязвимости
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before ...
password_verify can erroneously return true, opening ATO risk
EPSS
4.8 Medium
CVSS3