CVE-2020-7071 Information
Share on:Description
In PHP versions 7.3.x below 7.3.26 7.4.x below 7.4.14 and 8.0.0 when validating URL with functions like filter_var($url FILTER_VALIDATE_URL) PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Reference
https://bugs.php.net/bug.php?id=77423 https://www.debian.org/security/2021/dsa-4856 https://security.netapp.com/advisory/ntap-20210312-0005/ https://security.gentoo.org/glsa/202105-23 https://lists.debian.org/debian-lts-announce/2021/07/msg00008.html https://www.tenable.com/security/tns-2021-14 https://www.oracle.com/security-alerts/cpuoct2021.html In PHP versions 7.3.x below 7.3.26 7.4.x below 7.4.14 and 8.0.0 when validating URL with functions like filter_var($url FILTER_VALIDATE_URL) PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
NONE
Availability Impact
LOW
Base Score
NONE
Base Severity
5.3