Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2024-5458

Published: 11 June 2024

In PHP versionsĀ 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLsĀ (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.

Priority

Medium

Cvss 3 Severity Score

5.3

Score breakdown

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian 		focal Does not exist

jammy Does not exist

mantic Does not exist

noble Does not exist

trusty Needs triage

upstream Needs triage

php7.0
Launchpad, Ubuntu, Debian 		focal Does not exist

jammy Does not exist

mantic Does not exist

noble Does not exist

upstream Needs triage

xenial Needs triage

php7.2
Launchpad, Ubuntu, Debian 		bionic Needs triage

focal Does not exist

jammy Does not exist

mantic Does not exist

noble Does not exist

upstream Needs triage

php7.4
Launchpad, Ubuntu, Debian 		focal
Released (7.4.3-4ubuntu2.23)
jammy Does not exist

mantic Does not exist

noble Does not exist

upstream Needs triage

php8.1
Launchpad, Ubuntu, Debian 		focal Does not exist

jammy
Released (8.1.2-1ubuntu2.18)
mantic Does not exist

noble Does not exist

upstream
Released (8.1.29)
php8.2
Launchpad, Ubuntu, Debian 		focal Does not exist

jammy Does not exist

mantic
Released (8.2.10-2ubuntu2.2)
noble Does not exist

upstream
Released (8.2.20)
php8.3
Launchpad, Ubuntu, Debian 		focal Does not exist

jammy Does not exist

mantic Does not exist

noble
Released (8.3.6-0ubuntu0.24.04.1)
upstream
Released (8.3.8)
Patches:
upstream: https://github.com/php/php-src/commit/c7486130d97d592aee8809a5bce97e11deac94a5
upstream: https://github.com/php/php-src/commit/7e0e3cc820c493301409a0ce2b6ef95e0ab06b0c

Severity score breakdown

Parameter Value
Base score 5.3
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading