CVE-2021-21707 Information
Share on:
Jun 06, 2022
cve
Description
In PHP versions 7.3.x below 7.3.33 7.4.x below 7.4.26 and 8.0.x below 8.0.13 certain XML parsing functions like simplexml_load_file() URL-decode the filename passed to them. If that filename contains URL-encoded NUL character this may cause the function to interpret this as the end of the filename thus interpreting the filename differently from what the user intended which may lead it to reading a different file than intended.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Reference
https://bugs.php.net/bug.php?id=79971 https://security.netapp.com/advisory/ntap-20211223-0005/ https://www.debian.org/security/2022/dsa-5082 https://www.tenable.com/security/tns-2022-09
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
LOW
Availability Impact
NONE
Base Score
NONE
Base Severity
5.3