CVE-2023-0567

Name of the Vulnerable Software and Affected Versions PHP versions 8.0.0 through 8.0.27 PHP versions 8.1.0 through 8.1.15 PHP versions 8.2.0 through 8.2.2

Description The issue is related to the password verification function in PHP, which may accept some invalid Blowfish hashes as valid. If such an invalid hash ends up in the password database, it may lead to an application allowing any password for this entry as valid. This is due to insufficient computation of the password hash. The password verify() function is specifically affected.

Recommendations For PHP versions 8.0.0 through 8.0.27, update to version 8.0.28 or later. For PHP versions 8.1.0 through 8.1.15, update to version 8.1.16 or later. For PHP versions 8.2.0 through 8.2.2, update to version 8.2.3 or later. As a temporary workaround, consider restricting access to the password verify() function until a patch is available. Avoid using invalid Blowfish hashes in the password database to minimize the risk of exploitation.