DEBIAN-CVE-2024-3096

DEBIAN-CVE-2024-3096 PUBLISHED CVSS 6.5 MEDIUM

In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.

Risk Scores

CVSS v3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Affected Products

Vendor	Product	Versions
Debian:12	php8.2	0, 8.2.10-1, 8.2.10-2
Debian:11	php7.4	0, 7.4.21-1+deb11u1, 7.4.25-1+deb11u1

Timeline

Apr 29, 2024 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2024-3096 advisory

Open in Interactive Console →