CVE-2023-3247

Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP

Publication Date 2023-06-08
Severity Critical
Type Cross-Site Request Forgery
Affected PHP Versions
  • 7.2.0-7.2.34
  • 7.3.0-7.3.33
  • 7.4.0-7.4.33
  • 8.0.0-8.0.28
  • 8.1.0-8.1.19
  • 8.2.0-8.2.6
Fixed Product Versions
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendServer 2019.1.4
  • ZendServer 2021.3.2

CVE Details

When using HTTP Digest authentication via the SOAP extension, an attacker may be able to spoof credentials in order to utilize the web service.

Recommendations

If using the HTTP Digest authentication with the SOAP extension, we recommend updating your PHP version immediately to one that has patched the vulnerability. If you are unable to do so, we recommend moving the HTTP Digest authentication out of PHP and into your web server as a mitigation.