CVE-2021-21705 Incorrect URL validation in FILTER_VALIDATE_URL

2021-06-2800:00:00

CWE-20

php

www.cve.org

php

url validation

security implications

filter_var()

cve-2021-21705

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

39.9%

JSON

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.

CNA Affected

[
  {
    "product": "PHP",
    "vendor": "PHP Group",
    "versions": [
      {
        "lessThan": "7.3.29",
        "status": "affected",
        "version": "7.3.x",
        "versionType": "custom"
      },
      {
        "lessThan": "7.4.21",
        "status": "affected",
        "version": "7.4.x",
        "versionType": "custom"
      },
      {
        "lessThan": "8.0.8",
        "status": "affected",
        "version": "8.0.X",
        "versionType": "custom"
      }
    ]
  }
]