Vulnerability CVE-2024-5458: Information

Description

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.

Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Published: June 9, 2024
Modified: June 13, 2024
Error type identifier: CWE-345

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
php8.1sisyphus8.1.29-alt18.1.29-alt1ALT-PU-2024-8847-1350654Fixed
php8.1sisyphus_e2k8.1.29-alt18.1.29-alt1ALT-PU-2024-9120-1-Fixed
php8.1sisyphus_riscv648.1.29-alt18.1.29-alt1ALT-PU-2024-8970-1-Fixed
php8.1sisyphus_loongarch648.1.29-alt18.1.29-alt1ALT-PU-2024-8981-1-Fixed
php8.1p118.1.29-alt18.1.29-alt1ALT-PU-2024-8853-2350658Fixed
php8.2sisyphus8.2.20-alt18.2.20-alt1ALT-PU-2024-8849-1350656Fixed
php8.2sisyphus_e2k8.2.20-alt18.2.20-alt1ALT-PU-2024-9107-1-Fixed
php8.2sisyphus_riscv648.2.20-alt18.2.20-alt1ALT-PU-2024-9007-1-Fixed
php8.2sisyphus_loongarch648.2.20-alt18.2.20-alt1ALT-PU-2024-8982-1-Fixed
php8.2p10_e2k8.2.20-alt18.2.20-alt1ALT-PU-2024-9115-1-Fixed
php8.2p118.2.20-alt18.2.20-alt1ALT-PU-2024-8859-2350659Fixed
php8.3sisyphus8.3.8-alt18.3.8-alt1ALT-PU-2024-8855-1350657Fixed
php8.3sisyphus_e2k8.3.8-alt18.3.8-alt1ALT-PU-2024-9109-1-Fixed
php8.3sisyphus_riscv648.3.8-alt18.3.8-alt1ALT-PU-2024-8972-1-Fixed
php8.3sisyphus_loongarch648.3.8-alt18.3.8-alt1ALT-PU-2024-8983-1-Fixed
php8.3p118.3.8-alt18.3.8-alt1ALT-PU-2024-8861-2350660Fixed

References to Advisories, Solutions, and Tools

    1. Configuration 1

      cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
      Start including
      8.2.0
      End excliding
      8.2.20

      cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
      Start including
      8.3.0
      End excliding
      8.3.8

      cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
      Start including
      8.1.0
      End excliding
      8.1.29

      cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
      Start including
      8.0.2
      End including
      8.0.30

      cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
      Start including
      7.4.15
      End including
      7.4.33

      cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
      Start including
      7.3.27
      End including
      7.3.33

      Configuration 2

      cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*