CVE-2023-3823XML External Entity (XXE) Injection in Group PHP

CWE-611XML External Entity (XXE) Injection12 documents7 sources
Severity
7.5HIGHNVD
CNA8.6
EPSS
0.3%
top 43.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
PHP Group PHPPHPDebian Linux+1 more
Timeline
PublishedAug 11
Latest updateJul 3

Description

In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal pu

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDphp/php8.0.08.0.30+2
CVEListV5php_group/php8.0.*8.0.30+2

Also affects: Debian Linux 10.0, Fedora 38

🔴Vulnerability Details

5
OSV
php7.0 and php7.2 regression2024-07-03
OSV
php7.0, php7.2, php7.4 vulnerabilities2024-02-27
OSV
php8.1 vulnerabilities2023-08-23
CVEList
Security issue with external entity loading in XML without enabling it2023-08-11
OSV
CVE-2023-3823: In PHP versions 82023-08-11

📋Vendor Advisories

6
Ubuntu
PHP regression2024-07-03
Ubuntu
PHP vulnerabilities2024-02-27
Ubuntu
PHP vulnerabilities2023-08-23
Microsoft
Security issue with external entity loading in XML without enabling it2023-08-08
Red Hat
php: XML loading external entity without being enabled2023-08-03
CVE-2023-3823 — XML External Entity (XXE) Injection | cvebase