VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-mv3y-n1uu-aaam

Essentials
Severities (88)
References (24)
Severity details (4)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-mv3y-n1uu-aaam
Aliases	CVE-2023-3823
Summary	In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.
Status	Published
Exploitability	0.5
Weighted Severity	6.8
Risk	3.4
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-611

Improper Restriction of XML External Entity Reference

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-3823.json
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00144	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00823	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00823	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00823	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00823	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00823	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00823	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00823	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00823	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00823	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00823	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00823	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00823	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00823	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.00823	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
epss	0.02109	https://api.first.org/data/v1/epss?cve=CVE-2023-3823
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3	7.5	https://nvd.nist.gov/vuln/detail/CVE-2023-3823
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2023-3823

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-3823.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-3823
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3823
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3824
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2756
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3096
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr
		https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/
		https://security.netapp.com/advisory/ntap-20230825-0001/
1043477		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043477
2229396		https://bugzilla.redhat.com/show_bug.cgi?id=2229396
cpe:2.3:a:php:php::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php::::::::
cpe:2.3:o:debian:debian_linux:10.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:::::::*
cpe:2.3:o:fedoraproject:fedora:38:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:38:::::::*
CVE-2023-3823		https://nvd.nist.gov/vuln/detail/CVE-2023-3823
GLSA-202408-32		https://security.gentoo.org/glsa/202408-32
RHSA-2023:5926		https://access.redhat.com/errata/RHSA-2023:5926
RHSA-2023:5927		https://access.redhat.com/errata/RHSA-2023:5927
RHSA-2024:0387		https://access.redhat.com/errata/RHSA-2024:0387
RHSA-2024:10952		https://access.redhat.com/errata/RHSA-2024:10952
USN-6305-1		https://usn.ubuntu.com/6305-1/
USN-6305-2		https://usn.ubuntu.com/6305-2/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-3823.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-3823

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-3823

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.44621
EPSS Score	0.00108
Published At	Nov. 1, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.