{"id":"CVE-2024-5458","details":"In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.","aliases":["BIT-libphp-2024-5458","BIT-php-2024-5458","BIT-php-min-2024-5458"],"modified":"2026-03-15T22:49:31.185042Z","published":"2024-06-09T19:15:52.397Z","related":["ALSA-2024:10949","ALSA-2024:10950","ALSA-2024:10951","ALSA-2024:10952","CGA-ppvf-rgxg-mpm2","GHSA-w8qr-v226-r27w","MGASA-2024-0262","SUSE-SU-2024:2027-1","SUSE-SU-2024:2037-1","SUSE-SU-2024:2038-1","SUSE-SU-2024:2039-1","openSUSE-SU-2024:14033-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00011.html"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240726-0001/"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2024/06/07/1"},{"type":"EVIDENCE","url":"https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"c800ecda065b5642dde6aff5484d58d91d77f66c"},{"last_affected":"c796a801599b13943c2413589e339c39d1d4bb47"},{"introduced":"c6723538054d96291abb6bad4628b9f55bc7fc17"},{"last_affected":"dca8d5565b947270a29f232bc54efd9df3b92b94"},{"introduced":"a66aeecc2c0adc32ea0bbaa6e669b92f2deaa939"},{"last_affected":"8213daa932be1c2ae04726233e4e56e5df63980e"},{"introduced":"381ba9f5d0edd0c9c8ec1dea7e21d513ad08b115"},{"fixed":"fc4973fb0dfae6085742868b8f0f05163e150a0c"},{"introduced":"70ee6c20ad97e02c2b8098aeea96fefbbc3ac5c2"},{"fixed":"40298a988fca728ddc47316938da61e0f768c872"},{"introduced":"d26068059e83fe40de3430a512471d194119bee0"},{"fixed":"ce51bfac759dedac1537f4d5666dcd33fbc4a281"}],"database_specific":{"versions":[{"introduced":"7.3.27"},{"last_affected":"7.3.33"},{"introduced":"7.4.15"},{"last_affected":"7.4.33"},{"introduced":"8.0.2"},{"last_affected":"8.0.30"},{"introduced":"8.1.0"},{"fixed":"8.1.29"},{"introduced":"8.2.0"},{"fixed":"8.2.20"},{"introduced":"8.3.0"},{"fixed":"8.3.8"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5458.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"40"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}