CVE-2023-3823 : Security Advisory and Response
Learn about CVE-2023-3823 affecting PHP versions 8.0.* to 8.2.*, enabling disclosure of local files via XML function with potential high base severity risk.
This CVE involves a security issue in PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 related to external entity loading in XML functions.
Understanding CVE-2023-3823
This vulnerability in PHP versions allows external entities to be loaded in XML functions without proper enabling, potentially leading to disclosure of local files accessible to PHP.
What is CVE-2023-3823?
In PHP versions 8.0.* to 8.2.*, various XML functions rely on libxml global state to track configuration variables, such as whether external entities are loaded. This state, which is process-global, can be unintentionally changed by other modules using the library within the same process, potentially allowing external XML with loaded entities to be parsed, resulting in sensitive data exposure.
The Impact of CVE-2023-3823
The impact of this CVE is classified under CAPEC-197 (XML Entity Expansion), with a high base severity score of 8.6. It poses a risk of confidentiality impact due to the potential disclosure of local files accessible to PHP.
Technical Details of CVE-2023-3823
This section provides a deeper insight into the vulnerability, affected systems and versions, as well as the exploitation mechanism.
Vulnerability Description
The vulnerability arises from the reliance on libxml global state in PHP versions 8.0.* to 8.2.*, allowing external entities to be loaded in XML functions without explicit enabling. This can result in the disclosure of local files accessible to PHP.
Affected Systems and Versions
PHP versions affected include 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8. Users of these versions are at risk of the security issue related to external entity loading in XML processing.
Exploitation Mechanism
The exploitation involves external modules within the same process, like ImageMagick, inadvertently changing the libxml global state, allowing external entities to be loaded in XML functions. This can lead to the exposure of sensitive local files.
Mitigation and Prevention
To address and prevent the risks associated with CVE-2023-3823, users are advised to take immediate steps and adopt long-term security practices.
Immediate Steps to Take
A recommended immediate step is to disable the external entity loader as a workaround. For example, users can disable it by executing
libxml_set_external_entity_loader(function () { return null; });Long-Term Security Practices
Implementing secure coding practices, regular security updates, and monitoring for security advisories can enhance the long-term security posture against similar vulnerabilities.
Patching and Updates
Users are strongly encouraged to update their PHP installations to the patched versions—8.0.30, 8.1.22, and 8.2.8—which address the security issue with external entity loading in XML functions. Regularly applying updates is crucial to staying protected against known vulnerabilities.