CVE-2023-3824 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Group PHP

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer13 documents9 sources

Severity

9.8CRITICALNVD

CNA9.4OSV7.5VulnCheck9.4

EPSS

32.4%

top 3.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP PHP Debian Linux +1 more

Timeline

PublishedAug 11

Latest updateJul 3

Description

In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDphp/php8.0.0 — 8.0.30+2

▶CVEListV5php_group/php8.0.* — 8.0.30+2

Also affects: Debian Linux 10.0, Fedora 38

🔴Vulnerability Details

OSV

php7.0 and php7.2 regression↗2024-07-03

▶

OSV

php7.0, php7.2, php7.4 vulnerabilities↗2024-02-27

▶

OSV

php8.1 vulnerabilities↗2023-08-23

▶

OSV

CVE-2023-3824: In PHP version 8↗2023-08-11

▶

CVEList

Buffer overflow and overread in phar_dir_read()↗2023-08-11

▶

📋Vendor Advisories

Ubuntu

PHP vulnerabilities↗2024-02-27

▶

Oracle

Oracle Oracle Communications Risk Matrix: Platform (PHP) — CVE-2023-3824↗2023-10-15

▶

Ubuntu

PHP vulnerabilities↗2023-08-23

▶

Microsoft

Buffer overflow and overread in phar_dir_read()↗2023-08-08

▶

Red Hat

php: phar Buffer mismanagement↗2023-08-03

▶