CVE-2023-3823: 
PHP vulnerability analysis and mitigation

CVE-2023-3823 affects PHP versions 8.0. before 8.0.30, 8.1. before 8.1.22, and 8.2.* before 8.2.8. The vulnerability relates to XML functions relying on libxml global state to track configuration variables, particularly for external entities loading. This vulnerability was discovered by Joas Schilling and Baptista Katapi and was disclosed in August 2023 (PHP Advisory).

The vulnerability stems from the way PHP handles libxml global state for configuration variables. While external entities loading is disabled by default, other modules like ImageMagick that use the same library within the same process can change the global state for their internal purposes, potentially leaving external entities loading enabled. The vulnerability has received a CVSS v3.1 base score of 8.6 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L (PHP Advisory).

When successfully exploited, this vulnerability can lead to the disclosure of any local files accessible to PHP through XML external entity (XXE) processing. The vulnerable state may persist in the same process across many requests until the process is shut down, potentially affecting multiple requests (Debian Advisory).

The primary mitigation is to upgrade to PHP versions 8.0.30, 8.1.22, or 8.2.8 or later. As a workaround, applications can set an external entity loader that returns null using: libxmlsetexternalentityloader(function () { return null; }). Note that simply setting the entity loader to null (libxmlsetexternalentityloader(null)) is not sufficient and still leaves the system vulnerable (PHP Advisory).