Use of Password Hash With Insufficient Computational Effort

CVE-2023-0567

Medium

6.2/10

Summary

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-916 - Use of Password Hash With Insufficient Computational Effort

The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

References

Advisory Timeline

Published Mar 01, 2023

Use of Password Hash With Insufficient Computational Effort

CVE-2023-0567

Summary

CWE-916 - Use of Password Hash With Insufficient Computational Effort

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS