It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-612 advisory. Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications. (CVE-2024-2756) In PHP version 8.1. before 8.1.28, 8.2. before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (x00), testing a blank string as the password via password_verify() will incorrectly return true. (CVE-2024-3096) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version…Read More
Amazon Linux 2023 : php8.1, php8.1-bcmath, php8.1-cli (ALAS2023-2024-612)
