CVE-2024-3096

CVSS V2 None CVSS V3 None
Description
In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
Overview
  • CVE ID
  • CVE-2024-3096
  • Assigner
  • php
  • Vulnerability Status
  • PUBLISHED
  • Published Version
  • 2024-04-29T03:42:04.093Z
  • Last Modified Date
  • 2024-04-29T03:42:04.093Z
History
Created Old Value New Value Data Type Notes
2024-06-23 23:23:16 Added to TrackCVE