Question about PHP Vulnerabilities in Scan Report

Hello everyone,

I’m not sure if this is the right place to post this, but I’m a bit confused about a recent vulnerability scan report I received. The report identified several vulnerabilities (CVE-2023-0567, CVE-2023-0568, and CVE-2023-0662) in my PHP version 7.4.30. However, when I looked up these CVEs on the NVD website, they are only listed as affecting PHP versions 8.0.X before 8.0.28, 8.1.X before 8.1.16, and 8.2.X before 8.2.3.

Here are the links to the CVEs for reference:

  • CVE-2023-0567
  • CVE-2023-0568
  • [CVE-2023-0662] (No link because of an error: “Sorry, new users can only put 2 links in a post.”)

I’m wondering if anyone else has encountered this issue and if there’s something I’m missing. Any insights would be greatly appreciated.

Thank you!

P.S. Here is a part of the report:

Hi and welcome to the community!

E.g. BCrypt hashes erroneously validate if the salt is cut short by `$` · Advisory · php/php-src · GitHub (for CVE-2023-0567) states < 8.0.28, < 8.1.16, < 8.2.3 in which one can assume that everything below is affected.

Furthermore according to PHP: Supported Versions the 7.4 branch is end of life. So I guess all EOL branches are neither checked by PHP nor will be patched and we can assume that it most likely be affected.


Hi and thank you!

Okay, this refers to CVE-2023-0567, right? Does this also apply to other CVEs? I’m just trying to figure out if the detection is working properly.

Yes, this applies as well to the other CVEs. In general if a vendor doesn’t explicitly state an affected version range we assume that every version below is affected too. If in doubt you need to contact the vendor directly to clarify. In this case I assume they will not bother with it as 7.4.x is EOL.


Thank you for the explanation!

One additional (more or less important) note to the CVE description. The CVE description might not necessarily contain all affected and/or fixed versions as we received the following statement from a MITRE representative in the past:

A CVE description does not necessarily contain all the affected products or versions and is not part of CVE ID requirements. The products are documented in the CVE references.

1 Like