Уязвимость CVE-2023-3823: Информация

Описание

In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down. 

Важность: HIGH (7,5) Вектор: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-3823
Опубликовано: 11 августа 2023 г.
Изменено: 27 октября 2023 г.
Идентификатор типа ошибки: CWE-611

Исправленные пакеты

Имя пакета
Ветка
Исправлено в версии
Версия в репозитории
Errata ID
№ Задания
Состояние
php8.0p108.0.30-alt18.0.30-alt1ALT-PU-2023-5713-2329785Исправлено
php8.0p10_e2k8.0.30-alt18.0.30-alt1ALT-PU-2023-5813-1-Исправлено
php8.0c10f18.0.30-alt18.0.30-alt1ALT-PU-2023-5714-2329786Исправлено
php8.1p108.1.23-alt18.1.28-alt1ALT-PU-2023-5911-3330469Исправлено
php8.1p10_e2k8.1.23-alt18.1.28-alt1ALT-PU-2023-6104-1-Исправлено
php8.1c10f18.1.25-alt18.1.28-alt1ALT-PU-2023-7019-2333829Исправлено
php8.2c10f18.2.12-alt18.2.15-alt1ALT-PU-2023-7021-2333840Исправлено

Ссылки на рекомендации, решения и инструменты

Ссылка
Ресурс
https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr
  • Exploit
  • Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/
  • Mailing List
https://security.netapp.com/advisory/ntap-20230825-0001/
  • Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html
  • Mailing List

    1. Конфигурация 1

      cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
      Start including
      8.1.0
      End excliding
      8.1.22
      cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
      Start including
      8.0.0
      End excliding
      8.0.30
      cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
      Start including
      8.2.0
      End excliding
      8.2.9

      Конфигурация 2

      cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

      Конфигурация 3

      cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Версия: v24.5.1
Наверх