Skip to content

Typo in CVE-2023-0567 #22787

Description

@todb

Description

In https://cveawg.mitre.org/api/cve/CVE-2023-0567, the claimed unaffected version is less than version 80.28 of PHP.

We're going to be waiting a long time for that fix, or, more likely, it's a typo and should be 8.0.28. I've reached out to security@php.net but haven't gotten an ack back yet, so figured I'd drop a note here.

Thanks!

See:

"affected": [
          {
            "vendor": "php_group",
            "product": "php",
            "cpes": [
              "cpe:2.3:a:php_group:php:8.0.0:*:*:*:*:*:*:*",
              "cpe:2.3:a:php_group:php:8.1.0:*:*:*:*:*:*:*",
              "cpe:2.3:a:php_group:php:8.2.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "versions": [
              {
                "version": "8.0.0",
                "status": "affected",
                "lessThan": "80.28",
                "versionType": "semver"
              },
              {
                "version": "8.1.0",
                "status": "affected",
                "lessThan": "8.1.16",
                "versionType": "semver"
              },
              {
                "version": "8.2.0",
                "status": "affected",
                "lessThan": "8.2.3",
                "versionType": "semver"
              }
            ]
          }
        ],

PHP Version

PHP 8.2.0

Operating System

No response

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions