{"api_version":"1","generated_at":"2026-04-23T00:59:29+00:00","cve":"CVE-2021-21704","urls":{"html":"https://cve.report/CVE-2021-21704","api":"https://cve.report/api/cve/CVE-2021-21704.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-21704","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-21704"},"summary":{"title":"CVE-2021-21704","description":"In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.","state":"PUBLIC","assigner":"security@php.net","published_at":"2021-10-04 04:15:00","updated_at":"2022-10-25 14:58:00"},"problem_types":["CWE-787"],"metrics":[],"references":[{"url":"https://security.gentoo.org/glsa/202209-20","name":"GLSA-202209-20","refsource":"GENTOO","tags":[],"title":"PHP: Multiple Vulnerabilities (GLSA 202209-20) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugs.php.net/bug.php?id=76450","name":"N/A","refsource":"CONFIRM","tags":[],"title":"PHP :: Sec Bug #76450 :: SIGSEGV in firebird_stmt_execute","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugs.php.net/bug.php?id=76452","name":"N/A","refsource":"CONFIRM","tags":[],"title":"PHP :: Sec Bug #76452 :: Crash while parsing blob data in firebird_fetch_blob","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugs.php.net/bug.php?id=76449","name":"N/A","refsource":"CONFIRM","tags":[],"title":"PHP :: Sec Bug #76449 :: SIGSEGV in firebird_handle_doer","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugs.php.net/bug.php?id=76448","name":"N/A","refsource":"CONFIRM","tags":[],"title":"PHP :: Sec Bug #76448 :: Stack buffer overflow in firebird_info_cb","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20211029-0006/","name":"https://security.netapp.com/advisory/ntap-20211029-0006/","refsource":"CONFIRM","tags":[],"title":"September 2021 PHP Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-21704","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21704","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"reported by trichimtrich at gmail dot com","lang":""}],"nvd_cpes":[{"cve_year":"2021","cve_id":"21704","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"clustered_data_ontap","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21704","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"php","cpe5":"php","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-21704","qid":"150469","title":"PHP Multiple Vulnerabilities (CVE-2021-21704,CVE-2021-21705)"},{"cve":"CVE-2021-21704","qid":"178696","title":"Debian Security Update for php7.3 (DSA 4935-1)"},{"cve":"CVE-2021-21704","qid":"178707","title":"Debian Security Update for php7.0 (DLA 2708-1)"},{"cve":"CVE-2021-21704","qid":"179882","title":"Debian Security Update for php7.4 (CVE-2021-21704)"},{"cve":"CVE-2021-21704","qid":"198429","title":"Ubuntu Security Notification for Hypertext Preprocessor vulnerabilities (USN-5006-1)"},{"cve":"CVE-2021-21704","qid":"281697","title":"Fedora Security Update for php (FEDORA-2021-d867b595d1)"},{"cve":"CVE-2021-21704","qid":"281698","title":"Fedora Security Update for php (FEDORA-2021-172c8bd11d)"},{"cve":"CVE-2021-21704","qid":"352803","title":"Amazon Linux Security Advisory for php73: ALAS-2021-1532"},{"cve":"CVE-2021-21704","qid":"356070","title":"Amazon Linux Security Advisory for Hypertext Preprocessor (PHP) : ALASPHP8.0-2023-008"},{"cve":"CVE-2021-21704","qid":"356080","title":"Amazon Linux Security Advisory for Hypertext Preprocessor (PHP) : ALASPHP8.0-2023-008"},{"cve":"CVE-2021-21704","qid":"38844","title":"PHP Multiple Security Vulnerabilities"},{"cve":"CVE-2021-21704","qid":"670721","title":"EulerOS Security Update for php (EulerOS-SA-2021-2479)"},{"cve":"CVE-2021-21704","qid":"710633","title":"Gentoo Linux Hypertext Preprocessor (PHP) Multiple Vulnerabilities (GLSA 202209-20)"},{"cve":"CVE-2021-21704","qid":"750933","title":"SUSE Enterprise Linux Security Update for php74 (SUSE-SU-2021:2636-1)"},{"cve":"CVE-2021-21704","qid":"750936","title":"SUSE Enterprise Linux Security Update for php72 (SUSE-SU-2021:2638-1)"},{"cve":"CVE-2021-21704","qid":"750937","title":"OpenSUSE Security Update for php7 (openSUSE-SU-2021:2637-1)"},{"cve":"CVE-2021-21704","qid":"750952","title":"OpenSUSE Security Update for php7 (openSUSE-SU-2021:1130-1)"},{"cve":"CVE-2021-21704","qid":"750991","title":"SUSE Enterprise Linux Security Update for php7 (SUSE-SU-2021:2795-1)"},{"cve":"CVE-2021-21704","qid":"751019","title":"OpenSUSE Security Update for php7 (openSUSE-SU-2021:2795-1)"},{"cve":"CVE-2021-21704","qid":"752878","title":"SUSE Enterprise Linux Security Update for php7 (SUSE-SU-2022:4067-1)"},{"cve":"CVE-2021-21704","qid":"752898","title":"SUSE Enterprise Linux Security Update for php7 (SUSE-SU-2022:4069-1)"},{"cve":"CVE-2021-21704","qid":"752901","title":"SUSE Enterprise Linux Security Update for php74 (SUSE-SU-2022:4068-1)"},{"cve":"CVE-2021-21704","qid":"901082","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for Hypertext Preprocessor (PHP) (7326)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@php.net","DATE_PUBLIC":"2021-06-21T11:41:00.000Z","ID":"CVE-2021-21704","STATE":"PUBLIC","TITLE":"Multiple vulnerabilities in Firebird client extension"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"PHP","version":{"version_data":[{"version_affected":"<","version_name":"7.3.x","version_value":"7.3.29"},{"version_affected":"<","version_name":"7.4.x","version_value":"7.4.21"},{"version_affected":"<","version_name":"8.0.X","version_value":"8.0.8"}]}}]},"vendor_name":"PHP Group"}]}},"credit":[{"lang":"eng","value":"reported by trichimtrich at gmail dot com"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-125 Out-of-bounds Read"}]},{"description":[{"lang":"eng","value":"CWE-190 Integer Overflow or Wraparound"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://bugs.php.net/bug.php?id=76448","name":"https://bugs.php.net/bug.php?id=76448"},{"refsource":"MISC","url":"https://bugs.php.net/bug.php?id=76449","name":"https://bugs.php.net/bug.php?id=76449"},{"refsource":"MISC","url":"https://bugs.php.net/bug.php?id=76450","name":"https://bugs.php.net/bug.php?id=76450"},{"refsource":"MISC","url":"https://bugs.php.net/bug.php?id=76452","name":"https://bugs.php.net/bug.php?id=76452"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20211029-0006/","url":"https://security.netapp.com/advisory/ntap-20211029-0006/"},{"refsource":"GENTOO","name":"GLSA-202209-20","url":"https://security.gentoo.org/glsa/202209-20"}]},"source":{"defect":["https://bugs.php.net/bug.php?id=76448","https://bugs.php.net/bug.php?id=76449","https://bugs.php.net/bug.php?id=76450","https://bugs.php.net/bug.php?id=76452",""],"discovery":"EXTERNAL"}},"nvd":{"publishedDate":"2021-10-04 04:15:00","lastModifiedDate":"2022-10-25 14:58:00","problem_types":["CWE-787"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":5.9,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.2,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0.0","versionEndExcluding":"8.0.8","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","versionStartIncluding":"7.4.0","versionEndExcluding":"7.4.21","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","versionStartIncluding":"7.3.0","versionEndExcluding":"7.3.29","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"21704","Ordinal":"196393","Title":"CVE-2021-21704","CVE":"CVE-2021-21704","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"21704","Ordinal":"1","NoteData":"In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"21704","Ordinal":"2","NoteData":"2021-10-04","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"21704","Ordinal":"3","NoteData":"2021-10-29","Type":"Other","Title":"Modified"}]}}}