CVE-2024-3096

MEDIUM

CVSS v3

6.5

MEDIUM

EPSS Score

1.1%

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.

Technical Details

Published
4/29/2024

Frequently Asked Questions

What is CVE-2024-3096?

In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.

Is CVE-2024-3096 actively exploited?

Active exploitation of CVE-2024-3096 has not been confirmed. The EPSS score is 1.1%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2024-3096?

CVE-2024-3096 has a CVSS v3 base score of 6.5 (MEDIUM severity).

Is CVE-2024-3096 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.