CVE-2023-3247

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-3247
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-3247.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-3247
Aliases
Related
Published
2023-07-22T05:15:37Z
Modified
2024-09-18T03:26:05.636049Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce. 

References

Affected packages

Debian:11 / php7.4

Package

Name
php7.4
Purl
pkg:deb/debian/php7.4?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.4.33-1+deb11u4

Affected versions

7.*

7.4.21-1+deb11u1
7.4.25-1+deb11u1
7.4.26-1
7.4.28-1+deb11u1
7.4.30-1+deb11u1
7.4.33-1+deb11u1
7.4.33-1+deb11u3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / php8.2

Package

Name
php8.2
Purl
pkg:deb/debian/php8.2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.2.7-1~deb12u1

Affected versions

8.*

8.2.5-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / php8.2

Package

Name
php8.2
Purl
pkg:deb/debian/php8.2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.2.7-1

Affected versions

8.*

8.2.5-2
8.2.7-1~deb12u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/php/php-src

Affected ranges

Type
GIT
Repo
https://github.com/php/php-src
Events