CVE-2024-5458 - OpenCVE

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Php	Php

Configuration 1 [-]

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/06/07/1
https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w
https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/
https://nvd.nist.gov/vuln/detail/CVE-2024-5458
https://security.netapp.com/advisory/ntap-20240726-0001/
https://www.cve.org/CVERecord?id=CVE-2024-5458

History

No history.

MITRE

Status: PUBLISHED

Assigner: php

Published: 2024-06-09T18:26:28.804Z

Updated: 2024-08-01T21:11:12.787Z

Reserved: 2024-05-29T00:23:37.703Z

Link: CVE-2024-5458

Vulnrichment

Updated: 2024-08-01T21:11:12.787Z

NVD

Status : Modified

Published: 2024-06-09T19:15:52.397

Modified: 2024-07-28T14:15:10.873

Link: CVE-2024-5458

Redhat

Severity : Moderate

Publid Date: 2022-10-21T00:00:00Z

Links: CVE-2024-5458 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-5458", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "state": "PUBLISHED", "assignerShortName": "php", "dateReserved": "2024-05-29T00:23:37.703Z", "datePublished": "2024-06-09T18:26:28.804Z", "dateUpdated": "2024-08-01T21:11:12.787Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["filter"], "product": "PHP", "programFiles": ["ext/filter/logical_filters.c"], "repo": "https://github.com/php/php-src", "vendor": "PHP Group", "versions": [{"lessThan": "8.1.29", "status": "affected", "version": "8.1.*", "versionType": "semver"}, {"lessThan": "8.2.20", "status": "affected", "version": "8.2.*", "versionType": "semver"}, {"lessThan": "8.3.8", "status": "affected", "version": "8.3.*", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "c01l"}], "datePublic": "2024-06-09T18:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In PHP versions<span style=\"background-color: var(--wht);\"> 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs </span><span style=\"background-color: var(--wht);\">(FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. </span><span style=\"background-color: var(--wht);\"><br><br></span>"}], "value": "In PHP versions\u00a08.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs\u00a0(FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-06-09T18:32:45.969Z"}, "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w"}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240726-0001/"}], "source": {"advisory": "GHSA-w8qr-v226-r27w", "discovery": "EXTERNAL"}, "title": "Filter bypass in filter_var (FILTER_VALIDATE_URL)", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "php", "product": "php", "cpes": ["cpe:2.3:a:php:php:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "7.3.27", "status": "affected", "lessThanOrEqual": "7.3.33", "versionType": "semver"}, {"version": "7.4.15", "status": "affected", "lessThanOrEqual": "7.4.33", "versionType": "semver"}, {"version": "8.0.2", "status": "affected", "lessThanOrEqual": "8.0.30", "versionType": "semver"}, {"version": "8.1.0", "status": "affected", "lessThan": "8.1.29", "versionType": "semver"}, {"version": "8.2.0", "status": "affected", "lessThan": "8.2.20", "versionType": "semver"}, {"version": "8.3.0", "status": "affected", "lessThan": "8.3.8", "versionType": "semver"}]}, {"vendor": "fedoraproject", "product": "fedora", "cpes": ["cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "40", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-10T19:55:47.057816Z", "id": "CVE-2024-5458", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T14:00:57.567Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.787Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240726-0001/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240726-0001/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.787Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5458", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-10T19:55:47.057816Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:php:php:*:*:*:*:*:*:*:*"], "vendor": "php", "product": "php", "versions": [{"status": "affected", "version": "7.3.27", "versionType": "semver", "lessThanOrEqual": "7.3.33"}, {"status": "affected", "version": "7.4.15", "versionType": "semver", "lessThanOrEqual": "7.4.33"}, {"status": "affected", "version": "8.0.2", "versionType": "semver", "lessThanOrEqual": "8.0.30"}, {"status": "affected", "version": "8.1.0", "lessThan": "8.1.29", "versionType": "semver"}, {"status": "affected", "version": "8.2.0", "lessThan": "8.2.20", "versionType": "semver"}, {"status": "affected", "version": "8.3.0", "lessThan": "8.3.8", "versionType": "semver"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*"], "vendor": "fedoraproject", "product": "fedora", "versions": [{"status": "affected", "version": "40"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-10T20:03:56.739Z"}}], "cna": {"title": "Filter bypass in filter_var (FILTER_VALIDATE_URL)", "source": {"advisory": "GHSA-w8qr-v226-r27w", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "c01l"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/php/php-src", "vendor": "PHP Group", "modules": ["filter"], "product": "PHP", "versions": [{"status": "affected", "version": "8.1.*", "lessThan": "8.1.29", "versionType": "semver"}, {"status": "affected", "version": "8.2.*", "lessThan": "8.2.20", "versionType": "semver"}, {"status": "affected", "version": "8.3.*", "lessThan": "8.3.8", "versionType": "semver"}], "programFiles": ["ext/filter/logical_filters.c"], "defaultStatus": "affected"}], "datePublic": "2024-06-09T18:00:00.000Z", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w"}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240726-0001/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In PHP versions\u00a08.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs\u00a0(FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.", "supportingMedia": [{"type": "text/html", "value": "In PHP versions<span style=\"background-color: var(--wht);\"> 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs </span><span style=\"background-color: var(--wht);\">(FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. </span><span style=\"background-color: var(--wht);\"><br><br></span>", "base64": false}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-06-09T18:32:45.969Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5458", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:11:12.787Z", "dateReserved": "2024-05-29T00:23:37.703Z", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "datePublished": "2024-06-09T18:26:28.804Z", "assignerShortName": "php"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "8703A80A-44D8-4615-A849-61526B187D73", "versionEndIncluding": "7.3.33", "versionStartIncluding": "7.3.27", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "C937E1A7-44CC-4CA3-815C-0E8709EB393E", "versionEndIncluding": "7.4.33", "versionStartIncluding": "7.4.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0FA45C5-498B-4160-9CA3-F0A6533ECDFA", "versionEndIncluding": "8.0.30", "versionStartIncluding": "8.0.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "7DC2EEF8-834B-42A1-8DA3-0C2CF22A7070", "versionEndExcluding": "8.1.29", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "A39988FF-D854-4277-9D66-6911AF371DD3", "versionEndExcluding": "8.2.20", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "F579FFC1-4F81-4755-B14B-3AA73AC9FF7A", "versionEndExcluding": "8.3.8", "versionStartIncluding": "8.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*", "matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In PHP versions\u00a08.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs\u00a0(FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly."}, {"lang": "es", "value": "En las versiones de PHP 8.1.* anteriores a 8.1.29, 8.2.* anteriores a 8.2.20, 8.3.* anteriores a 8.3.8, debido a un error de l\u00f3gica de c\u00f3digo, funciones de filtrado como filter_var al validar URL (FILTER_VALIDATE_URL) para ciertos tipos de URL la funci\u00f3n dar\u00e1 como resultado que la informaci\u00f3n de usuario no v\u00e1lida (nombre de usuario + contrase\u00f1a parte de las URL) se trate como informaci\u00f3n de usuario v\u00e1lida. Esto puede hacer que el c\u00f3digo posterior acepte URL no v\u00e1lidas como v\u00e1lidas y las analice incorrectamente."}], "id": "CVE-2024-5458", "lastModified": "2024-07-28T14:15:10.873", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@php.net", "type": "Secondary"}]}, "published": "2024-06-09T19:15:52.397", "references": [{"source": "security@php.net", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"source": "security@php.net", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w"}, {"source": "security@php.net", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"source": "security@php.net", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}, {"source": "security@php.net", "url": "https://security.netapp.com/advisory/ntap-20240726-0001/"}], "sourceIdentifier": "security@php.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "php: Filter bypass in filter_var (FILTER_VALIDATE_URL)", "id": "2291252", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2291252"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-20", "details": ["In PHP versions\u00a08.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs\u00a0(FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-5458", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "php:7.4/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "php:8.0/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "php:8.2/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "php", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "php:8.1/php", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "php:8.2/php", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2022-10-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-5458\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-5458\nhttps://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w"], "statement": "This flaw in PHP's filter_var function with FILTER_VALIDATE_URL constitutes a moderate severity issue because, while it allows URLs with invalid user information to be treated as valid, it does not directly facilitate immediate security breaches or exploits on its own. The impact is limited to cases where applications rely solely on this function for URL validation without additional checks, potentially leading to improper handling of user credentials. However, the flaw does not compromise the overall integrity of the PHP interpreter, nor does it inherently lead to data corruption or system crashes. Its exploitation requires specific conditions and contexts, making it less critical than high-severity vulnerabilities that enable direct remote code execution or privilege escalation.", "threat_severity": "Moderate", "upstream_fix": "php 8.1.29, php 8.2.20, php 8.3.8"}