CVE-2024-5458
EUVD-2024-4667409.06.2024, 19:15
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.3.27 ≤ 𝑥 ≤ 7.3.33 |
| php | php | 7.4.15 ≤ 𝑥 ≤ 7.4.33 |
| php | php | 8.0.2 ≤ 𝑥 ≤ 8.0.30 |
| php | php | 8.1.0 ≤ 𝑥 < 8.1.29 |
| php | php | 8.2.0 ≤ 𝑥 < 8.2.20 |
| php | php | 8.3.0 ≤ 𝑥 < 8.3.8 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| php | php | 7.3.27 ≤ 𝑥 ≤ 7.3.33 | ADP |
| php | php | 7.4.15 ≤ 𝑥 ≤ 7.4.33 | ADP |
| php | php | 8.0.2 ≤ 𝑥 ≤ 8.0.30 | ADP |
| php | php | 8.1.0 ≤ 𝑥 < 8.1.29 | ADP |
| php | php | 8.2.0 ≤ 𝑥 < 8.2.20 | ADP |
| php | php | 8.3.0 ≤ 𝑥 < 8.3.8 | ADP |
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| php7.0 |
| ||||||||||||||||
| php5 |
| ||||||||||||||||
| php7.2 |
| ||||||||||||||||
| php7.4 |
| ||||||||||||||||
| php8.1 |
| ||||||||||||||||
| php8.2 |
| ||||||||||||||||
| php8.3 |
|
Common Weakness Enumeration
References