Published: 11/08/2023 Updated: 27/10/2023

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 0

In PHP versions 8.0.* prior to 8.0.30, 8.1.* prior to 8.1.22, and 8.2.* prior to 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.

Vulnerable Product	Search on Vulmon	Subscribe to Product
php php
fedoraproject fedora 38
debian debian linux 10.0

Debian Bug report logs - #1043477 php82: CVE-2023-3823 CVE-2023-3824 Package: src:php82; Maintainer for src:php82 is Debian PHP Maintainers <team+pkg-php@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 11 Aug 2023 21:39:01 UTC Severity: grave Tags: security, upstream Found in ...

Synopsis Important: php security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for php is now available for Red Hat Enterprise Linux 9Red Hat Product Security has rated this update as having a security ...

Synopsis Important: php:80 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the php:80 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update a ...

Synopsis Moderate: php:81 security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the php:81 module is now available for Red Hat Enterprise Linux 9Red Hat Product Security has rated this update as ...

GHSA-76gg-c692-v2mw: Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP NOTE: Fixed in 827, 8120, 8029NOTE: githubcom/php/php-src/security/advisories/GHSA-76gg-c692-v2mwNOTE: githubcom/php/php-src/commit/ac4254ad764c70cb1f05c9270d8d12689fc3aeb6 (php-8029)NOTE: githubcom/php/ph ...

CWE-611 https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/https://security.netapp.com/advisory/ntap-20230825-0001/https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043477 https://nvd.nist.gov https://alas.aws.amazon.com/AL2/ALASPHP8.2-2023-002.html

CVE-2023-3823

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect