CVE-2023-0568 HIGH

CVE-2023-0568: Array overrun in common path resolve code

Vendor Php Group
Product PHP
Weakness CWE-131
Published February 16, 2023
Last update March 18, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.

Key dates

02Disclosure timeline

February 16, 2023 CVE published
March 18, 2025 Record updated