Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-3247

In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce.

Published

2023-07-22T05:15:37.460

Last Modified

2024-11-21T08:16:47.640

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 2.6 (LOW)

Weaknesses

Type: Secondary
CWE-252
CWE-330
Type: Primary
CWE-330

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	php	php	< 8.0.29	Yes
Application	php	php	< 8.1.20	Yes
Application	php	php	< 8.2.7	Yes

References

https://github.com/php/php-src/security/advisories/GHSA-76gg-c692-v2mw Patch, Vendor Advisory ([email protected])
https://github.com/php/php-src/security/advisories/GHSA-76gg-c692-v2mw Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)