CVE-2021-21707

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2021-21707
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2021-11-29 07:15:00 UTC
Updated2023-02-16 03:07:00 UTC
DescriptionIn PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.

Risk And Classification

Problem Types: NVD-CWE-Other

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Debian Debian Linux 10.0 All All All
Operating System Debian Debian Linux 11.0 All All All
Application Netapp Clustered Data Ontap - All All All
Application Php Php All All All All
Application Tenable Tenable.sc All All All All

References

ReferenceSourceLinkTags
CVE-2021-21707 PHP Vulnerability in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
Debian -- Security Information -- DSA-5082-1 php7.4 DEBIAN www.debian.org
[R1] Tenable.sc 5.21.0 Fixes Multiple Third-Party Vulnerabilities - Security Advisory | Tenable® CONFIRM www.tenable.com
PHP :: Sec Bug #79971 :: special character is breaking the path in xml function MISC bugs.php.net
[SECURITY] [DLA 3243-1] php7.3 security update MLIST lists.debian.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Reported by rawataman6525 at gmail dot com

Legacy QID Mappings

  • 150480 Improper Handling of XML Functions in PHP (CVE-2021-21707)
  • 160244 Oracle Enterprise Linux Security Update for php:7.4 (ELSA-2022-7628)
  • 179085 Debian Security Update for php7.4 (DSA 5082-1)
  • 181332 Debian Security Update for php7.3 (DLA 3243-1)
  • 198686 Ubuntu Security Notification for Hypertext Preprocessor (PHP) Vulnerabilities (USN-5300-2)
  • 198690 Ubuntu Security Notification for Hypertext Preprocessor (PHP) Vulnerabilities (USN-5300-3)
  • 240535 Red Hat Update for rh-php73-php (RHSA-2022:5491)
  • 240855 Red Hat Update for php:7.4 security (RHSA-2022:7628)
  • 282077 Fedora Security Update for Hypertext Preprocessor (PHP) (FEDORA-2021-88ba46f2b2)
  • 282078 Fedora Security Update for Hypertext Preprocessor (PHP) (FEDORA-2021-c8043fa05f)
  • 282149 Fedora Security Update for Hypertext Preprocessor (PHP) (FEDORA-2021-06795380db)
  • 354412 Amazon Linux Security Advisory for Hypertext Preprocessor (PHP) : ALAS2022-2022-073
  • 356072 Amazon Linux Security Advisory for Hypertext Preprocessor (PHP) : ALASPHP8.0-2023-001
  • 356083 Amazon Linux Security Advisory for Hypertext Preprocessor (PHP) : ALASPHP8.0-2023-001
  • 377999 Alibaba Cloud Linux Security Update for php:7.4 (ALINUX3-SA-2023:0018)
  • 38884 Hypertext Preprocessor (PHP) Extensible Markup Language (XML) Parsing Vulnerability (79971)
  • 501146 Alpine Linux Security Update for php7
  • 501665 Alpine Linux Security Update for php7
  • 501668 Alpine Linux Security Update for php8
  • 502330 Alpine Linux Security Update for php81
  • 671646 EulerOS Security Update for Hypertext Preprocessor (PHP) (EulerOS-SA-2022-1755)
  • 751448 SUSE Enterprise Linux Security Update for php74 (SUSE-SU-2021:3927-1)
  • 751467 OpenSUSE Security Update for php7 (openSUSE-SU-2021:3943-1)
  • 751513 OpenSUSE Security Update for php7 (openSUSE-SU-2021:1570-1)
  • 751763 SUSE Enterprise Linux Security Update for php72 (SUSE-SU-2022:0577-1)
  • 751772 SUSE Enterprise Linux Security Update for php7 (SUSE-SU-2022:0679-1)
  • 751779 OpenSUSE Security Update for php7 (openSUSE-SU-2022:0679-1)
  • 752863 SUSE Enterprise Linux Security Update for php7 (SUSE-SU-2022:3997-1)
  • 752878 SUSE Enterprise Linux Security Update for php7 (SUSE-SU-2022:4067-1)
  • 752898 SUSE Enterprise Linux Security Update for php7 (SUSE-SU-2022:4069-1)
  • 752901 SUSE Enterprise Linux Security Update for php74 (SUSE-SU-2022:4068-1)
  • 753278 SUSE Enterprise Linux Security Update for php7 (SUSE-SU-2022:2292-1)
  • 753350 SUSE Enterprise Linux Security Update for php8 (SUSE-SU-2022:2303-1)
  • 901256 Common Base Linux Mariner (CBL-Mariner) Security Update for Hypertext Preprocessor (PHP) (7328)
  • 940756 AlmaLinux Security Update for php:7.4 (ALSA-2022:7628)
  • 960333 Rocky Linux Security Update for php:7.4 (RLSA-2022:7628)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report