Your submission was sent successfully! Close

CVE-2021-21705

Published: 02 July 2021

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.

Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (5.5.9+dfsg-1ubuntu4.29+esm14)
php7.0
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (7.0.33-0ubuntu0.16.04.16+esm1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

php7.2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (7.2.24-0ubuntu0.18.04.8)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

php7.4
Launchpad, Ubuntu, Debian
Upstream
Released (7.4.21)
Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo)
Released (7.4.16-1ubuntu2.1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (7.4.3-4ubuntu2.5)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/php/php-src/commit/a5538c62293fa782fcc382d0635cfc0c8b9190e3
Upstream: https://github.com/php/php-src/commit/7bab67c2d0d3c30b1176d5bcf6f20b0e1c50c589
php8.0
Launchpad, Ubuntu, Debian
Upstream
Released (8.0.8)
Ubuntu 21.10 (Impish Indri)
Released (8.0.8-1)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist