CVE-2021-21705
Summary
| CVE | CVE-2021-21705 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-10-04 04:15:00 UTC |
| Updated | 2022-10-29 02:50:00 UTC |
| Description | In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision. |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Netapp | Clustered Data Ontap | - | All | All | All |
| Application | Oracle | Sd-wan Aware | 8.2 | All | All | All |
| Application | Php | Php | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| PHP: Multiple Vulnerabilities (GLSA 202209-20) — Gentoo security | GENTOO | security.gentoo.org | |
| PHP :: Sec Bug #81122 :: SSRF bypass in FILTER_VALIDATE_URL | CONFIRM | bugs.php.net | |
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| September 2021 PHP Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: reported by vi at hackberry dot xyz
Legacy QID Mappings
- 150469 PHP Multiple Vulnerabilities (CVE-2021-21704,CVE-2021-21705)
- 159834 Oracle Enterprise Linux Security Update for php:7.4 (ELSA-2022-1935)
- 178696 Debian Security Update for php7.3 (DSA 4935-1)
- 178707 Debian Security Update for php7.0 (DLA 2708-1)
- 180055 Debian Security Update for php7.4 (CVE-2021-21705)
- 198429 Ubuntu Security Notification for Hypertext Preprocessor vulnerabilities (USN-5006-1)
- 239528 Red Hat Update for rh-php73-php (RHSA-2021:2992)
- 240318 Red Hat Update for php:7.4 (RHSA-2022:1935)
- 281697 Fedora Security Update for php (FEDORA-2021-d867b595d1)
- 281698 Fedora Security Update for php (FEDORA-2021-172c8bd11d)
- 352803 Amazon Linux Security Advisory for php73: ALAS-2021-1532
- 356070 Amazon Linux Security Advisory for Hypertext Preprocessor (PHP) : ALASPHP8.0-2023-008
- 356080 Amazon Linux Security Advisory for Hypertext Preprocessor (PHP) : ALASPHP8.0-2023-008
- 38844 PHP Multiple Security Vulnerabilities
- 501143 Alpine Linux Security Update for php7
- 501662 Alpine Linux Security Update for php7
- 501670 Alpine Linux Security Update for php8
- 670721 EulerOS Security Update for php (EulerOS-SA-2021-2479)
- 710633 Gentoo Linux Hypertext Preprocessor (PHP) Multiple Vulnerabilities (GLSA 202209-20)
- 750905 SUSE Enterprise Linux Security Update for php72 (SUSE-SU-2021:2564-1)
- 750908 OpenSUSE Security Update for php7 (openSUSE-SU-2021:2575-1)
- 750933 SUSE Enterprise Linux Security Update for php74 (SUSE-SU-2021:2636-1)
- 750937 OpenSUSE Security Update for php7 (openSUSE-SU-2021:2637-1)
- 750952 OpenSUSE Security Update for php7 (openSUSE-SU-2021:1130-1)
- 752878 SUSE Enterprise Linux Security Update for php7 (SUSE-SU-2022:4067-1)
- 752898 SUSE Enterprise Linux Security Update for php7 (SUSE-SU-2022:4069-1)
- 752901 SUSE Enterprise Linux Security Update for php74 (SUSE-SU-2022:4068-1)
- 901129 Common Base Linux Mariner (CBL-Mariner) Security Update for Hypertext Preprocessor (PHP) (7327)
- 940552 AlmaLinux Security Update for php:7.4 (ALSA-2022:1935)
- 960280 Rocky Linux Security Update for php:7.4 (RLSA-2022:1935)