CVE-2024-3096
CVSS V2 None
CVSS V3 None
Description
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
Overview
- CVE ID
- CVE-2024-3096
- Assigner
- php
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-04-29T03:42:04.093Z
- Last Modified Date
- 2024-04-29T03:42:04.093Z
Weakness Enumerations
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-3096 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3096 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2024-06-23 23:23:16 | Added to TrackCVE |