CVE-2024-50342: 
PHP vulnerability analysis and mitigation

The CVE-2024-50342 affects symfony/http-client, a module for the Symphony PHP framework that provides methods to fetch HTTP resources synchronously or asynchronously. The vulnerability was discovered by Linus Karlsson and Chris Smith, and it involves information leakage during host resolution when using the NoPrivateNetworkHttpClient component, which could lead to IP/port enumeration. The issue affects versions prior to 5.4.46, 6.4.14, and 7.1.7 (GitHub Advisory).

The vulnerability stems from the NoPrivateNetworkHttpClient component not filtering blocked IPs early enough in the process, which results in internal information leakage during host resolution. The issue has been assigned a CVSS v3.1 base score of 3.1 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating it requires network access, has high attack complexity, requires low privileges, and can result in low confidentiality impact (GitHub Advisory).

The vulnerability allows potential attackers to perform IP and port enumeration of internal networks, which could expose sensitive information about the network infrastructure. This information leakage occurs during the host resolution process, potentially revealing details about private network configurations (GitHub Advisory).

The issue has been fixed in versions 5.4.46, 6.4.14, and 7.1.7. The patch modifies the NoPrivateNetworkHttpClient to filter blocked IPs earlier in the process to prevent information leaks. Users are advised to upgrade to these patched versions. The fix is implemented through a modification that ensures proper filtering of private network addresses before connection attempts (GitHub Advisory, Ubuntu Notice).