CVE-2024-5458 (GCVE-0-2024-5458)
Vulnerability from cvelistv5 – Published: 2024-06-09 18:26 – Updated: 2025-11-03 22:32
VLAI
Title
Filter bypass in filter_var (FILTER_VALIDATE_URL)
Summary
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
7 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| PHP Group | PHP |
Affected:
8.1.* , < 8.1.29
(semver)
Affected: 8.2.* , < 8.2.20 (semver) Affected: 8.3.* , < 8.3.8 (semver) |
|
| php | php |
Affected:
7.3.27 , ≤ 7.3.33
(semver)
Affected: 7.4.15 , ≤ 7.4.33 (semver) Affected: 8.0.2 , ≤ 8.0.30 (semver) Affected: 8.1.0 , < 8.1.29 (semver) Affected: 8.2.0 , < 8.2.20 (semver) Affected: 8.3.0 , < 8.3.8 (semver) cpe:2.3:a:php:php:*:*:*:*:*:*:*:* |
|
| fedoraproject | fedora |
Affected:
40
cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:* |
Date Public
2024-06-09 18:00
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "php",
"vendor": "php",
"versions": [
{
"lessThanOrEqual": "7.3.33",
"status": "affected",
"version": "7.3.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.4.33",
"status": "affected",
"version": "7.4.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0.30",
"status": "affected",
"version": "8.0.2",
"versionType": "semver"
},
{
"lessThan": "8.1.29",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"lessThan": "8.2.20",
"status": "affected",
"version": "8.2.0",
"versionType": "semver"
},
{
"lessThan": "8.3.8",
"status": "affected",
"version": "8.3.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fedora",
"vendor": "fedoraproject",
"versions": [
{
"status": "affected",
"version": "40"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5458",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T19:55:47.057816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T14:13:20.514Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:32:24.445Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240726-0001/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"filter"
],
"product": "PHP",
"programFiles": [
"ext/filter/logical_filters.c"
],
"repo": "https://github.com/php/php-src",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.1.29",
"status": "affected",
"version": "8.1.*",
"versionType": "semver"
},
{
"lessThan": "8.2.20",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.8",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "c01l"
}
],
"datePublic": "2024-06-09T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e(FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "In PHP versions\u00a08.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs\u00a0(FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-28T14:05:58.895Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"url": "https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240726-0001/"
}
],
"source": {
"advisory": "GHSA-w8qr-v226-r27w",
"discovery": "EXTERNAL"
},
"title": "Filter bypass in filter_var (FILTER_VALIDATE_URL)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2024-5458",
"datePublished": "2024-06-09T18:26:28.804Z",
"dateReserved": "2024-05-29T00:23:37.703Z",
"dateUpdated": "2025-11-03T22:32:24.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-5458",
"date": "2026-06-06",
"epss": "0.03579",
"percentile": "0.87973"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"7.3.27\", \"versionEndIncluding\": \"7.3.33\", \"matchCriteriaId\": \"8703A80A-44D8-4615-A849-61526B187D73\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"7.4.15\", \"versionEndIncluding\": \"7.4.33\", \"matchCriteriaId\": \"C937E1A7-44CC-4CA3-815C-0E8709EB393E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.0.2\", \"versionEndIncluding\": \"8.0.30\", \"matchCriteriaId\": \"E0FA45C5-498B-4160-9CA3-F0A6533ECDFA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.1.0\", \"versionEndExcluding\": \"8.1.29\", \"matchCriteriaId\": \"7DC2EEF8-834B-42A1-8DA3-0C2CF22A7070\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.2.0\", \"versionEndExcluding\": \"8.2.20\", \"matchCriteriaId\": \"A39988FF-D854-4277-9D66-6911AF371DD3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.3.0\", \"versionEndExcluding\": \"8.3.8\", \"matchCriteriaId\": \"F579FFC1-4F81-4755-B14B-3AA73AC9FF7A\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CA277A6C-83EC-4536-9125-97B84C4FAF59\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"In PHP versions\\u00a08.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs\\u00a0(FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.\"}, {\"lang\": \"es\", \"value\": \"En las versiones de PHP 8.1.* anteriores a 8.1.29, 8.2.* anteriores a 8.2.20, 8.3.* anteriores a 8.3.8, debido a un error de l\\u00f3gica de c\\u00f3digo, funciones de filtrado como filter_var al validar URL (FILTER_VALIDATE_URL) para ciertos tipos de URL la funci\\u00f3n dar\\u00e1 como resultado que la informaci\\u00f3n de usuario no v\\u00e1lida (nombre de usuario + contrase\\u00f1a parte de las URL) se trate como informaci\\u00f3n de usuario v\\u00e1lida. Esto puede hacer que el c\\u00f3digo posterior acepte URL no v\\u00e1lidas como v\\u00e1lidas y las analice incorrectamente.\"}]",
"id": "CVE-2024-5458",
"lastModified": "2024-11-21T09:47:43.413",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security@php.net\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}]}",
"published": "2024-06-09T19:15:52.397",
"references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2024/06/07/1\", \"source\": \"security@php.net\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w\", \"source\": \"security@php.net\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html\", \"source\": \"security@php.net\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/\", \"source\": \"security@php.net\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/\", \"source\": \"security@php.net\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240726-0001/\", \"source\": \"security@php.net\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/06/07/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240726-0001/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security@php.net",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-345\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-5458\",\"sourceIdentifier\":\"security@php.net\",\"published\":\"2024-06-09T19:15:52.397\",\"lastModified\":\"2025-11-03T23:17:30.373\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In PHP versions\u00a08.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs\u00a0(FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.\"},{\"lang\":\"es\",\"value\":\"En las versiones de PHP 8.1.* anteriores a 8.1.29, 8.2.* anteriores a 8.2.20, 8.3.* anteriores a 8.3.8, debido a un error de l\u00f3gica de c\u00f3digo, funciones de filtrado como filter_var al validar URL (FILTER_VALIDATE_URL) para ciertos tipos de URL la funci\u00f3n dar\u00e1 como resultado que la informaci\u00f3n de usuario no v\u00e1lida (nombre de usuario + contrase\u00f1a parte de las URL) se trate como informaci\u00f3n de usuario v\u00e1lida. Esto puede hacer que el c\u00f3digo posterior acepte URL no v\u00e1lidas como v\u00e1lidas y las analice incorrectamente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@php.net\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-345\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-345\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.3.27\",\"versionEndIncluding\":\"7.3.33\",\"matchCriteriaId\":\"8703A80A-44D8-4615-A849-61526B187D73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.4.15\",\"versionEndIncluding\":\"7.4.33\",\"matchCriteriaId\":\"C937E1A7-44CC-4CA3-815C-0E8709EB393E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.2\",\"versionEndIncluding\":\"8.0.30\",\"matchCriteriaId\":\"E0FA45C5-498B-4160-9CA3-F0A6533ECDFA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.1.0\",\"versionEndExcluding\":\"8.1.29\",\"matchCriteriaId\":\"7DC2EEF8-834B-42A1-8DA3-0C2CF22A7070\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.2.0\",\"versionEndExcluding\":\"8.2.20\",\"matchCriteriaId\":\"A39988FF-D854-4277-9D66-6911AF371DD3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.3.0\",\"versionEndExcluding\":\"8.3.8\",\"matchCriteriaId\":\"F579FFC1-4F81-4755-B14B-3AA73AC9FF7A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CA277A6C-83EC-4536-9125-97B84C4FAF59\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2024/06/07/1\",\"source\":\"security@php.net\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w\",\"source\":\"security@php.net\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html\",\"source\":\"security@php.net\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/\",\"source\":\"security@php.net\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/\",\"source\":\"security@php.net\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240726-0001/\",\"source\":\"security@php.net\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/06/07/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/10/msg00011.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240726-0001/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/06/07/1\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240726-0001/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T21:11:12.787Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-5458\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-10T19:55:47.057816Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\"], \"vendor\": \"php\", \"product\": \"php\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.3.27\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"7.3.33\"}, {\"status\": \"affected\", \"version\": \"7.4.15\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"7.4.33\"}, {\"status\": \"affected\", \"version\": \"8.0.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.0.30\"}, {\"status\": \"affected\", \"version\": \"8.1.0\", \"lessThan\": \"8.1.29\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"8.2.0\", \"lessThan\": \"8.2.20\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"8.3.0\", \"lessThan\": \"8.3.8\", \"versionType\": \"semver\"}], \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*\"], \"vendor\": \"fedoraproject\", \"product\": \"fedora\", \"versions\": [{\"status\": \"affected\", \"version\": \"40\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-345\", \"description\": \"CWE-345 Insufficient Verification of Data Authenticity\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-10T20:03:56.739Z\"}}], \"cna\": {\"title\": \"Filter bypass in filter_var (FILTER_VALIDATE_URL)\", \"source\": {\"advisory\": \"GHSA-w8qr-v226-r27w\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"c01l\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/php/php-src\", \"vendor\": \"PHP Group\", \"modules\": [\"filter\"], \"product\": \"PHP\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.1.*\", \"lessThan\": \"8.1.29\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"8.2.*\", \"lessThan\": \"8.2.20\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"8.3.*\", \"lessThan\": \"8.3.8\", \"versionType\": \"semver\"}], \"programFiles\": [\"ext/filter/logical_filters.c\"], \"defaultStatus\": \"affected\"}], \"datePublic\": \"2024-06-09T18:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/06/07/1\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240726-0001/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In PHP versions\\u00a08.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs\\u00a0(FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"In PHP versions\u003cspan style=\\\"background-color: var(--wht);\\\"\u003e\u0026nbsp;8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs\u0026nbsp;\u003c/span\u003e\u003cspan style=\\\"background-color: var(--wht);\\\"\u003e(FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.\u0026nbsp;\u003c/span\u003e\u003cspan style=\\\"background-color: var(--wht);\\\"\u003e\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"dd77f84a-d19a-4638-8c3d-a322d820ed2b\", \"shortName\": \"php\", \"dateUpdated\": \"2024-07-28T14:05:58.895Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-5458\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-14T14:13:20.514Z\", \"dateReserved\": \"2024-05-29T00:23:37.703Z\", \"assignerOrgId\": \"dd77f84a-d19a-4638-8c3d-a322d820ed2b\", \"datePublished\": \"2024-06-09T18:26:28.804Z\", \"assignerShortName\": \"php\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…