First published: Mon Jun 28 2021(Updated: )
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.
Credit: security@php.net
Affected Software | Affected Version | How to fix |
---|---|---|
PHP PHP | >=7.3.0<7.3.29 | |
PHP PHP | >=7.4.0<7.4.21 | |
PHP PHP | >=8.0.0<8.0.8 | |
NetApp Clustered Data ONTAP | ||
Oracle SD-WAN Aware | =8.2 | |
PHP PHP | <8.0.8 | 8.0.8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this bug is CVE-2021-21705.
The severity level of CVE-2021-21705 is medium (5.3).
PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21, and 8.0.x below 8.0.8 are affected by CVE-2021-21705.
CVE-2021-21705 can be exploited by using an URL with an invalid password field that is accepted as valid, leading to incorrect parsing of the URL and potential code execution.
You can find more information about CVE-2021-21705 at the following references: [reference 1], [reference 2], [reference 3].