In PHP versionsĀ 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLsĀ (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Php | Php | 7.3.27 (including) | 7.3.33 (including) |
| Php | Php | 7.4.15 (including) | 7.4.33 (including) |
| Php | Php | 8.0.2 (including) | 8.0.30 (including) |
| Php | Php | 8.1.0 (including) | 8.1.29 (excluding) |
| Php | Php | 8.2.0 (including) | 8.2.20 (excluding) |
| Php | Php | 8.3.0 (including) | 8.3.8 (excluding) |
| Php7.0 | Ubuntu | esm-infra/xenial | * |
| Php7.2 | Ubuntu | esm-infra/bionic | * |
| Php7.4 | Ubuntu | focal | * |
| Php8.1 | Ubuntu | jammy | * |
| Php8.1 | Ubuntu | upstream | * |
| Php8.2 | Ubuntu | mantic | * |
| Php8.2 | Ubuntu | upstream | * |
| Php8.3 | Ubuntu | devel | * |
| Php8.3 | Ubuntu | noble | * |
| Php8.3 | Ubuntu | oracular | * |
| Php8.3 | Ubuntu | upstream | * |