CVE-2024-3096
Published: 16 April 2024
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
Notes
Author | Note |
---|---|
leosilva | version in noble is not affected see (LP: #2061147) |
Priority
Status
Package | Release | Status |
---|---|---|
php5 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Needs triage
|
|
upstream |
Needs triage
|
|
php7.0 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Released
(7.0.33-0ubuntu0.16.04.16+esm9)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
php7.2 Launchpad, Ubuntu, Debian |
bionic |
Released
(7.2.24-0ubuntu0.18.04.17+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
php7.4 Launchpad, Ubuntu, Debian |
focal |
Released
(7.4.3-4ubuntu2.22)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
php8.1 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Released
(8.1.2-1ubuntu2.17)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(8.1.28)
|
|
php8.2 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Released
(8.2.10-2ubuntu2.1)
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(8.2.18)
|
|
xenial |
Does not exist
|
|
php8.3 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Released
(8.3.6-0maysync1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(8.3.6)
|
|
xenial |
Does not exist
|
|
Patches: upstream: https://github.com/php/php-src/commit/0ba5229a3f7572846e91c8f5382e87785f543826 |