Login Sign Up

CVE-2023-0567

7.7 HIGH
Authentication Bypass

📋 TL;DR

A vulnerability in PHP's password_verify() function allows invalid Blowfish password hashes to be accepted as valid. This could enable authentication bypass if compromised hashes are stored in password databases. Affects PHP applications using password_verify() with Blowfish hashing.

💻 Affected Systems

Products:
  • PHP
Versions: PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16, 8.2.X before 8.2.3
Operating Systems: All operating systems running affected PHP versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using password_verify() with Blowfish hashes. Other hashing algorithms are not affected.

📦 What is this software?

Php by Php

View all CVEs affecting Php →

Php by Php

View all CVEs affecting Php →

Php by Php

View all CVEs affecting Php →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass for user accounts with compromised hashes, potentially leading to unauthorized access, privilege escalation, and data breaches.

🟠

Likely Case

Authentication bypass for specific user accounts where attackers can inject or generate invalid Blowfish hashes into the password database.

🟢

If Mitigated

Limited impact if proper input validation and hash verification are implemented, or if affected systems are patched.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to inject invalid Blowfish hashes into password database, typically requiring some level of access or injection capability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PHP 8.0.28, 8.1.16, 8.2.3

Vendor Advisory: https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4

Restart Required: Yes

Instructions:

1. Identify PHP version with 'php -v'. 2. Update PHP to patched version using package manager. 3. Restart web server (Apache/Nginx) and PHP-FPM if applicable. 4. Test password verification functionality.

🔧 Temporary Workarounds

Validate password hashes before storage

all

Implement additional validation to ensure only valid Blowfish hashes are stored in password database

Migrate to alternative hashing algorithm

all

Use Argon2 or bcrypt instead of Blowfish for password hashing

🧯 If You Can't Patch

  • Audit password database for invalid Blowfish hashes and remove/replace them
  • Implement additional authentication factors (MFA) to reduce impact of potential bypass

🔍 How to Verify

Check if Vulnerable:

Check PHP version with 'php -v' and compare against affected versions. Test password_verify() with known invalid Blowfish hashes.

Check Version:

php -v | grep 'PHP'

Verify Fix Applied:

After patching, verify PHP version is updated and test that invalid Blowfish hashes are now rejected by password_verify().

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts followed by successful login with incorrect password
  • Authentication logs showing successful login with unusual timing or patterns

Network Indicators:

  • Unusual authentication patterns or brute force attempts

SIEM Query:

source="auth.log" AND (event="authentication success" AND previous_event="authentication failure" within 1s)

📊 Metadata

CVE ID: CVE-2023-0567
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-916
Published: March 1, 2023
Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-0567, you might also want to check these:

CVE-2020-14516 10.0

CVE-2020-14516 is a critical authentication bypass vulnerability in Rockwell Automation FactoryTalk ...

Same vulnerability type (CWE-916)
CVE-2021-32519 9.8

This vulnerability allows remote attackers to recover plain-text passwords by brute-forcing weak MD5...

Same vulnerability type (CWE-916)
CVE-2024-5743 9.8

This vulnerability in EveHome Eve Play allows attackers to exploit weak password hashing to execute ...

Same vulnerability type (CWE-916)