CVE-2020-7071

Published: 15 February 2021

In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.

Priority

Low

CVSS 3 base score: 5.3

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (5.5.9+dfsg-1ubuntu4.29+esm14)
php7.0
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (7.0.33-0ubuntu0.16.04.16+esm1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

php7.2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (7.2.24-0ubuntu0.18.04.8)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

php7.4
Launchpad, Ubuntu, Debian
Upstream
Released (7.4.14)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(7.4.16-1ubuntu2)
Ubuntu 20.04 LTS (Focal Fossa)
Released (7.4.3-4ubuntu2.5)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=2d3d72412a6734e19a38ed10f385227a6238e4a6
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=128fca40376140c60b47a1c3750bb6435866838e (merge)
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=434c2b1bdbed80f01f5bc6c817c9b87fef917919 (merge)
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=4a89e726bd4d0571991dc22a9a1ad4509e8fe347 (fix #2)
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=fbf8c758fe31a19f35af839b97dc261a936c9b6e (merge)
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=9c673083cd46ee2a954a62156acbe4b6e657c048 (cleanup)
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=21f861225a627cc0143dbbd7b03c2686a77409d5 (merge)
php8.0
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist