CVE-2021-21705

Updated: 2023-11-04 20:50:44.111729

Description:

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x MEDIUM 5
CVSS Version 3.x MEDIUM 5.3

Status

OS name Project name Version Score Severity Status Errata Last updated
CentOS 6 ELS php 5.3.3 5.3 MEDIUM Released CLSA-2021:1637673193 2022-05-05 12:02:24
CentOS 7 ELS php 5.4.16 5.3 MEDIUM Ignored 2024-01-21 08:36:31
CentOS 8.4 ELS php 7.4.6 5.3 MEDIUM Released CLSA-2022:1654526233 2022-06-06 11:49:05
CentOS 8.5 ELS php 7.4.19 5.3 MEDIUM Released CLSA-2022:1654526615 2022-06-06 11:48:45
CloudLinux 6 ELS php 5.3.3 5.3 MEDIUM Released 2022-02-22 11:48:03
Oracle Linux 6 ELS php 5.3.3 5.3 MEDIUM Released CLSA-2022:1643115104 2022-02-22 11:48:03
Ubuntu 16.04 ELS php 7.0.33 5.3 MEDIUM Released CLSA-2021:1639681846 2022-02-22 11:48:03
Ubuntu 18.04 ELS php 7.2.24-0 5.3 MEDIUM Already Fixed 2023-07-04 17:06:50