CVE-2021-21707

Name
CVE-2021-21707
Description
In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://bugs.php.net/bug.php?id=79971
Third Party Advisory https://security.netapp.com/advisory/ntap-20211223-0005/
Third Party Advisory https://www.debian.org/security/2022/dsa-5082
CONFIRM https://www.tenable.com/security/tns-2022-09

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* php >= 7.3.0 < 7.3.33
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* php >= 7.4.0 < 7.4.26
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* php >= 8.0.0 < 8.0.13

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
php81 edge-community 8.1.0-r0 None fixed
php81 3.19-community 8.1.0-r0 None fixed
php81 3.18-community 8.1.0-r0 None fixed
php81 3.17-community 8.1.0-r0 None fixed
php8 edge-community 8.0.13-r0 Andy Postnikov <apostnikov@gmail.com> fixed
php7 edge-community 7.4.26-r0 Valery Kartel <valery.kartel@gmail.com> fixed