{"api_version":"1","generated_at":"2026-04-22T23:09:23+00:00","cve":"CVE-2023-3823","urls":{"html":"https://cve.report/CVE-2023-3823","api":"https://cve.report/api/cve/CVE-2023-3823.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-3823","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-3823"},"summary":{"title":"CVE-2023-3823","description":"In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down. ","state":"PUBLIC","assigner":"security@php.net","published_at":"2023-08-11 06:15:00","updated_at":"2023-10-27 18:58:00"},"problem_types":["CWE-611"],"metrics":[],"references":[{"url":"https://security.netapp.com/advisory/ntap-20230825-0001/","name":"https://security.netapp.com/advisory/ntap-20230825-0001/","refsource":"MISC","tags":[],"title":"August 2023 PHP Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 38 Update: php-8.2.9-2.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr","name":"https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr","refsource":"MISC","tags":[],"title":"Security issue with external entity loading in XML without enabling it · Advisory · php/php-src · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html","name":"https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html","refsource":"MISC","tags":[],"title":"[SECURITY] [DLA 3555-1] php7.3 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-3823","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-3823","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"3823","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3823","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"38","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3823","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"php","cpe5":"php","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-3823","qid":"161008","title":"Oracle Enterprise Linux Security Update for Hypertext Preprocessor (PHP) (ELSA-2023-5926)"},{"cve":"CVE-2023-3823","qid":"161015","title":"Oracle Enterprise Linux Security Update for php:8.0 (ELSA-2023-5927)"},{"cve":"CVE-2023-3823","qid":"161313","title":"Oracle Enterprise Linux Security Update for php:8.1 (ELSA-2024-0387)"},{"cve":"CVE-2023-3823","qid":"199676","title":"Ubuntu Security Notification for Hypertext Preprocessor (PHP) Vulnerabilities (USN-6305-1)"},{"cve":"CVE-2023-3823","qid":"200142","title":"Ubuntu Security Notification for Hypertext Preprocessor (PHP) Vulnerabilities (USN-6305-2)"},{"cve":"CVE-2023-3823","qid":"242223","title":"Red Hat Update for Hypertext Preprocessor (PHP) (RHSA-2023:5926)"},{"cve":"CVE-2023-3823","qid":"242227","title":"Red Hat Update for php:8.0 (RHSA-2023:5927)"},{"cve":"CVE-2023-3823","qid":"242739","title":"Red Hat Update for php:8.1 (RHSA-2024:0387)"},{"cve":"CVE-2023-3823","qid":"284381","title":"Fedora Security Update for Hypertext Preprocessor (PHP) (FEDORA-2023-c68f2227e6)"},{"cve":"CVE-2023-3823","qid":"284393","title":"Fedora Security Update for Hypertext Preprocessor (PHP) (FEDORA-2023-984c26961f)"},{"cve":"CVE-2023-3823","qid":"356065","title":"Amazon Linux Security Advisory for Hypertext Preprocessor (PHP) : ALASPHP8.2-2023-002"},{"cve":"CVE-2023-3823","qid":"356069","title":"Amazon Linux Security Advisory for Hypertext Preprocessor (PHP) : ALASPHP8.0-2023-009"},{"cve":"CVE-2023-3823","qid":"356073","title":"Amazon Linux Security Advisory for Hypertext Preprocessor (PHP) : ALASPHP8.1-2023-004"},{"cve":"CVE-2023-3823","qid":"356078","title":"Amazon Linux Security Advisory for Hypertext Preprocessor (PHP) : ALASPHP8.2-2023-002"},{"cve":"CVE-2023-3823","qid":"356084","title":"Amazon Linux Security Advisory for Hypertext Preprocessor (PHP) : ALASPHP8.1-2023-004"},{"cve":"CVE-2023-3823","qid":"356089","title":"Amazon Linux Security Advisory for Hypertext Preprocessor (PHP) : ALASPHP8.0-2023-009"},{"cve":"CVE-2023-3823","qid":"38910","title":"Hypertext Preprocessor (PHP) Multiple Vulnerabilities"},{"cve":"CVE-2023-3823","qid":"503088","title":"Alpine Linux Security Update for php81"},{"cve":"CVE-2023-3823","qid":"503096","title":"Alpine Linux Security Update for php8"},{"cve":"CVE-2023-3823","qid":"503854","title":"Alpine Linux Security Update for php81"},{"cve":"CVE-2023-3823","qid":"6000162","title":"Debian Security Update for php7.3 (DLA 3555-1)"},{"cve":"CVE-2023-3823","qid":"6000571","title":"Debian Security Update for php8.2 (DSA 5661-1)"},{"cve":"CVE-2023-3823","qid":"674053","title":"EulerOS Security Update for Hypertext Preprocessor (PHP) (EulerOS-SA-2024-1288)"},{"cve":"CVE-2023-3823","qid":"941313","title":"AlmaLinux Security Update for php:8.0 (ALSA-2023:5927)"},{"cve":"CVE-2023-3823","qid":"941321","title":"AlmaLinux Security Update for Hypertext Preprocessor (PHP) (ALSA-2023:5926)"},{"cve":"CVE-2023-3823","qid":"941553","title":"AlmaLinux Security Update for php:8.1 (ALSA-2024:0387)"},{"cve":"CVE-2023-3823","qid":"961052","title":"Rocky Linux Security Update for Hypertext Preprocessor (PHP) (RLSA-2023:5926)"},{"cve":"CVE-2023-3823","qid":"961062","title":"Rocky Linux Security Update for php:8.0 (RLSA-2023:5927)"},{"cve":"CVE-2023-3823","qid":"961115","title":"Rocky Linux Security Update for php:8.1 (RLSA-2024:0387)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-3823","ASSIGNER":"security@php.net","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down. \n\n"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"PHP Group","product":{"product_data":[{"product_name":"PHP","version":{"version_data":[{"version_value":"not down converted","x_cve_json_5_version_data":{"versions":[{"lessThan":"8.0.30","status":"affected","version":"8.0.*","versionType":"semver"},{"lessThan":"8.1.22","status":"affected","version":"8.1.*","versionType":"semver"},{"lessThan":"8.2.8","status":"affected","version":"8.2.*","versionType":"semver"}],"defaultStatus":"affected"}}]}}]}}]}},"references":{"reference_data":[{"url":"https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr","refsource":"MISC","name":"https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/"},{"url":"https://security.netapp.com/advisory/ntap-20230825-0001/","refsource":"MISC","name":"https://security.netapp.com/advisory/ntap-20230825-0001/"},{"url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html","refsource":"MISC","name":"https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"advisory":"https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j","discovery":"EXTERNAL"},"work_around":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Disable external entity loader, e.g. like this:&nbsp;<pre>libxml_set_external_entity_loader(function () { return null; });</pre><br>"}],"value":"Disable external entity loader, e.g. like this: libxml_set_external_entity_loader(function () { return null; });\n\n\n"}],"credits":[{"lang":"en","value":"Joas Schilling"}],"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":8.6,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L","version":"3.1"}]}},"nvd":{"publishedDate":"2023-08-11 06:15:00","lastModifiedDate":"2023-10-27 18:58:00","problem_types":["CWE-611"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","versionStartIncluding":"8.1.0","versionEndExcluding":"8.1.22","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0.0","versionEndExcluding":"8.0.30","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","versionStartIncluding":"8.2.0","versionEndExcluding":"8.2.9","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}