CVE-2024-5458: 
PHP vulnerability analysis and mitigation

CVE-2024-5458 affects PHP versions 8.1. before 8.1.29, 8.2. before 8.2.20, and 8.3.* before 8.3.8. The vulnerability was discovered and disclosed on June 9, 2024, affecting the filtervar function when validating URLs (FILTERVALIDATE_URL). This vulnerability exists due to a code logic error that causes invalid user information in URLs to be treated as valid, particularly affecting URLs with IPv6 host parts (PHP Security Advisory).

The vulnerability stems from an early-return statement in the phpfiltervalidateurl function within php-src/ext/filter/logicalfilters.c. For HTTP-IPv6 addresses, the implementation contains an early return statement that results in further checks on the user_info being skipped. This causes the same issues as CVE-2020-7071 but specifically affects IPv6 host parts. The CVSS v3.1 base score is 5.3 (MEDIUM) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (PHP Security Advisory, OSS Security).

When successfully exploited, this vulnerability could lead to downstream code accepting invalid URLs as valid and parsing them incorrectly. The vulnerability primarily affects the integrity of URL validation, potentially allowing malformed URLs to bypass security checks (PHP Security Advisory).

The vulnerability has been patched in PHP versions 8.1.29, 8.2.20, and 8.3.8. The fix involves restructuring the code to include the user_info checks if the IPv6-host part is correct, ensuring that SUCCESS is only returned if the end of the function is reached. Users are strongly advised to upgrade to these patched versions (PHP Security Advisory, Fedora Update).

Multiple Linux distributions and software vendors have responded to this vulnerability by releasing security updates. Debian has issued security advisory DLA-3833-1, Red Hat has released updates for affected versions, and Fedora has pushed security updates for both Fedora 39 and 40 (Debian Advisory, Fedora Update).