vulnerability

Red Hat: CVE-2024-3096: php: password_verify can erroneously return true, opening ATO risk (Multiple Advisories)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:H/Au:N/C:P/I:P/A:N)	2024-04-29	2025-02-10	2025-05-14

Severity

CVSS

(AV:N/AC:H/Au:N/C:P/I:P/A:N)

Published

2024-04-29

Added

2025-02-10

Modified

2025-05-14

Description

In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.

Solution(s)

redhat-upgrade-apcu-panelredhat-upgrade-libzipredhat-upgrade-libzip-debuginforedhat-upgrade-libzip-debugsourceredhat-upgrade-libzip-develredhat-upgrade-libzip-toolsredhat-upgrade-libzip-tools-debuginforedhat-upgrade-phpredhat-upgrade-php-bcmathredhat-upgrade-php-bcmath-debuginforedhat-upgrade-php-cliredhat-upgrade-php-cli-debuginforedhat-upgrade-php-commonredhat-upgrade-php-common-debuginforedhat-upgrade-php-dbaredhat-upgrade-php-dba-debuginforedhat-upgrade-php-dbgredhat-upgrade-php-dbg-debuginforedhat-upgrade-php-debuginforedhat-upgrade-php-debugsourceredhat-upgrade-php-develredhat-upgrade-php-embeddedredhat-upgrade-php-embedded-debuginforedhat-upgrade-php-enchantredhat-upgrade-php-enchant-debuginforedhat-upgrade-php-ffiredhat-upgrade-php-ffi-debuginforedhat-upgrade-php-fpmredhat-upgrade-php-fpm-debuginforedhat-upgrade-php-gdredhat-upgrade-php-gd-debuginforedhat-upgrade-php-gmpredhat-upgrade-php-gmp-debuginforedhat-upgrade-php-intlredhat-upgrade-php-intl-debuginforedhat-upgrade-php-jsonredhat-upgrade-php-json-debuginforedhat-upgrade-php-ldapredhat-upgrade-php-ldap-debuginforedhat-upgrade-php-mbstringredhat-upgrade-php-mbstring-debuginforedhat-upgrade-php-mysqlndredhat-upgrade-php-mysqlnd-debuginforedhat-upgrade-php-odbcredhat-upgrade-php-odbc-debuginforedhat-upgrade-php-opcacheredhat-upgrade-php-opcache-debuginforedhat-upgrade-php-pdoredhat-upgrade-php-pdo-debuginforedhat-upgrade-php-pearredhat-upgrade-php-pecl-apcuredhat-upgrade-php-pecl-apcu-debuginforedhat-upgrade-php-pecl-apcu-debugsourceredhat-upgrade-php-pecl-apcu-develredhat-upgrade-php-pecl-rrdredhat-upgrade-php-pecl-rrd-debuginforedhat-upgrade-php-pecl-rrd-debugsourceredhat-upgrade-php-pecl-xdebugredhat-upgrade-php-pecl-xdebug-debuginforedhat-upgrade-php-pecl-xdebug-debugsourceredhat-upgrade-php-pecl-xdebug3redhat-upgrade-php-pecl-xdebug3-debuginforedhat-upgrade-php-pecl-xdebug3-debugsourceredhat-upgrade-php-pecl-zipredhat-upgrade-php-pecl-zip-debuginforedhat-upgrade-php-pecl-zip-debugsourceredhat-upgrade-php-pgsqlredhat-upgrade-php-pgsql-debuginforedhat-upgrade-php-processredhat-upgrade-php-process-debuginforedhat-upgrade-php-snmpredhat-upgrade-php-snmp-debuginforedhat-upgrade-php-soapredhat-upgrade-php-soap-debuginforedhat-upgrade-php-xmlredhat-upgrade-php-xml-debuginforedhat-upgrade-php-xmlrpcredhat-upgrade-php-xmlrpc-debuginfo

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today