CVE-2023-3823

In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr	Exploit Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/	Mailing List
https://security.netapp.com/advisory/ntap-20230825-0001/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-08-11 06:15

Updated : 2023-10-27 18:58

NVD link : CVE-2023-3823

Mitre link : CVE-2023-3823

CVE.ORG link : CVE-2023-3823

JSON object : View

Products Affected

debian

debian_linux

fedoraproject

fedora

php

php

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2023-3823", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security@php.net", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.9}]}, "published": "2023-08-11T06:15:09.283", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr", "tags": ["Exploit", "Third Party Advisory"], "source": "security@php.net"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html", "tags": ["Mailing List"], "source": "security@php.net"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/", "tags": ["Mailing List"], "source": "security@php.net"}, {"url": "https://security.netapp.com/advisory/ntap-20230825-0001/", "tags": ["Third Party Advisory"], "source": "security@php.net"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as\u00a0ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.\u00a0\n\n"}, {"lang": "es", "value": "En las versiones de PHP 8.0.* antes de la 8.0.30, 8.1.* antes de la 8.1.22, y 8.2.* antes de la 8.2.8 varias funciones XML se basan en el estado global de libxml para rastrear variables de configuraci\u00f3n, como si las entidades externas est\u00e1n cargadas. Se asume que este estado no cambia a menos que el usuario lo cambie expl\u00edcitamente llamando a la funci\u00f3n apropiada. Sin embargo, dado que el estado es global del proceso, otros m\u00f3dulos - como ImageMagick - pueden tambi\u00e9n usar esta librer\u00eda dentro del mismo proceso, y cambiar ese estado global para sus prop\u00f3sitos internos, y dejarlo en un estado en el que la carga de entidades externas est\u00e9 habilitada. Esto puede llevar a la situaci\u00f3n donde XML externo es analizado con entidades externas cargadas, lo que puede llevar a la divulgaci\u00f3n de cualquier archivo local accesible a PHP. Este estado vulnerable puede persistir en el mismo proceso a trav\u00e9s de muchas peticiones, hasta que el proceso sea cerrado."}], "lastModified": "2023-10-27T18:58:56.457", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C516377E-EAA8-4534-B0B8-4BF7A664DDFD", "versionEndExcluding": "8.0.30", "versionStartIncluding": "8.0.0"}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3DA6AD3E-CB35-4AF2-86E9-3BC831728058", "versionEndExcluding": "8.1.22", "versionStartIncluding": "8.1.0"}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "75AD1BDB-02D7-4727-8F08-8E1F794DB842", "versionEndExcluding": "8.2.9", "versionStartIncluding": "8.2.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}], "sourceIdentifier": "security@php.net"}