Bug 2291252 (CVE-2024-5458)

Summary: CVE-2024-5458 php: Filter bypass in filter_var (FILTER_VALIDATE_URL)
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kyoshida
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 8.1.29, php 8.2.20, php 8.3.8 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in PHP. An early return in the filter_var (FILTER_VALIDATE_URL) function results in invalid user information (username + password part of URLs) being treated as valid user information. This issue impacts users who expect only completely valid URLs to be returned by filter_var (FILTER_VALIDATE_URL). As this function is used to validate user-supplied strings, this issue exposes raw user input often.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2291253    
Bug Blocks: 2291254    

Description Avinash Hanwate 2024-06-11 04:51:05 UTC 
In PHP versionsĀ 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLsĀ (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.

http://www.openwall.com/lists/oss-security/2024/06/07/1
https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w
Comment 1 Avinash Hanwate 2024-06-11 05:00:09 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 2291253]
Comment 3 errata-xmlrpc 2024-12-11 11:44:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:10952 https://access.redhat.com/errata/RHSA-2024:10952
Comment 4 errata-xmlrpc 2024-12-11 11:44:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:10950 https://access.redhat.com/errata/RHSA-2024:10950
Comment 5 errata-xmlrpc 2024-12-11 11:45:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:10949 https://access.redhat.com/errata/RHSA-2024:10949
Comment 6 errata-xmlrpc 2024-12-11 11:45:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:10951 https://access.redhat.com/errata/RHSA-2024:10951
Comment 8 errata-xmlrpc 2025-05-13 10:35:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7315 https://access.redhat.com/errata/RHSA-2025:7315