{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-3823", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "state": "PUBLISHED", "assignerShortName": "php", "dateReserved": "2023-07-21T16:16:57.133Z", "datePublished": "2023-08-11T05:42:25.771Z", "dateUpdated": "2023-08-11T05:42:25.771Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "PHP", "vendor": "PHP Group", "versions": [{"lessThan": "8.0.30", "status": "affected", "version": "8.0.*", "versionType": "semver"}, {"lessThan": "8.1.22", "status": "affected", "version": "8.1.*", "versionType": "semver"}, {"lessThan": "8.2.8", "status": "affected", "version": "8.2.*", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Joas Schilling"}], "datePublic": "2023-08-05T04:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.&nbsp;</span></p>"}], "value": "In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as\u00a0ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.\u00a0\n\n"}], "impacts": [{"capecId": "CAPEC-197", "descriptions": [{"lang": "en", "value": "CAPEC-197 XML Entity Expansion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2023-08-11T05:42:25.771Z"}, "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/"}, {"url": "https://security.netapp.com/advisory/ntap-20230825-0001/"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html"}], "source": {"advisory": "https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j", "discovery": "EXTERNAL"}, "title": "Security issue with external entity loading in XML without enabling it", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Disable external entity loader, e.g. like this:&nbsp;<pre>libxml_set_external_entity_loader(function () { return null; });</pre><br>"}], "value": "Disable external entity loader, e.g. like this:\u00a0libxml_set_external_entity_loader(function () { return null; });\n\n\n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "C516377E-EAA8-4534-B0B8-4BF7A664DDFD", "versionEndExcluding": "8.0.30", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "3DA6AD3E-CB35-4AF2-86E9-3BC831728058", "versionEndExcluding": "8.1.22", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "75AD1BDB-02D7-4727-8F08-8E1F794DB842", "versionEndExcluding": "8.2.9", "versionStartIncluding": "8.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as\u00a0ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.\u00a0\n\n"}, {"lang": "es", "value": "En las versiones de PHP 8.0.* antes de la 8.0.30, 8.1.* antes de la 8.1.22, y 8.2.* antes de la 8.2.8 varias funciones XML se basan en el estado global de libxml para rastrear variables de configuraci\u00f3n, como si las entidades externas est\u00e1n cargadas. Se asume que este estado no cambia a menos que el usuario lo cambie expl\u00edcitamente llamando a la funci\u00f3n apropiada. Sin embargo, dado que el estado es global del proceso, otros m\u00f3dulos - como ImageMagick - pueden tambi\u00e9n usar esta librer\u00eda dentro del mismo proceso, y cambiar ese estado global para sus prop\u00f3sitos internos, y dejarlo en un estado en el que la carga de entidades externas est\u00e9 habilitada. Esto puede llevar a la situaci\u00f3n donde XML externo es analizado con entidades externas cargadas, lo que puede llevar a la divulgaci\u00f3n de cualquier archivo local accesible a PHP. Este estado vulnerable puede persistir en el mismo proceso a trav\u00e9s de muchas peticiones, hasta que el proceso sea cerrado."}], "id": "CVE-2023-3823", "lastModified": "2023-10-27T18:58:56.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security@php.net", "type": "Secondary"}]}, "published": "2023-08-11T06:15:09.283", "references": [{"source": "security@php.net", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr"}, {"source": "security@php.net", "tags": ["Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html"}, {"source": "security@php.net", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230825-0001/"}], "sourceIdentifier": "security@php.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}