CVE-2021-21707

Опубликовано: 15 нояб. 2021

Источник: redhat

CVSS3: 5.3

Описание

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.

A flaw was found in php. The main cause of this vulnerability is improper input validation while parsing an Extensible Markup Language(XML) entity. A special character could allow an attacker to traverse directories. The highest threat from this vulnerability is confidentiality.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 6	php	Out of support scope
Red Hat Enterprise Linux 7	php	Out of support scope
Red Hat Enterprise Linux 8	php:7.3/php	Out of support scope
Red Hat Enterprise Linux 9	php	Not affected
Red Hat Enterprise Linux 8	php	Fixed	RHSA-2022:7628	08.11.2022
Red Hat Software Collections for Red Hat Enterprise Linux 7	rh-php73-php	Fixed	RHSA-2022:5491	04.07.2022

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-20

https://bugzilla.redhat.com/show_bug.cgi?id=2026045php: Special character breaks path in xml parsing

5.3 Medium

CVSS3

Связанные уязвимости

CVE-2021-21707

CVSS3: 5.3

ubuntu

почти 4 года назад

CVE-2021-21707

CVSS3: 5.3

nvd

почти 4 года назад

CVE-2021-21707

CVSS3: 5.3

msrc

около 1 месяца назад

Special characters break path parsing in XML functions

CVE-2021-21707

CVSS3: 5.3

debian

почти 4 года назад

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below ...

SUSE-SU-2021:3927-1

suse-cvrf

почти 4 года назад

Security update for php74

5.3 Medium

CVSS3