CVE-2021-21708
Published: 31 December 2021
In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.
Notes
Author | Note |
---|---|
sbeattie | PEAR issues should go against php-pear as of xenial |
rodrigo-zaiden | the issue was introduced in PHP 7.4, seems like it was in commit https://github.com/php/php-src/commit/07df6594 |
Priority
Status
Package | Release | Status |
---|---|---|
php5 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Not vulnerable
(code not present)
|
|
xenial |
Does not exist
|
|
php7.0 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Not vulnerable
(code not present)
|
|
xenial |
Not vulnerable
(code not present)
|
|
php7.2 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
focal |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Not vulnerable
(code not present)
|
|
xenial |
Does not exist
|
|
php7.4 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Released
(7.4.3-4ubuntu2.9)
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(7.4.28)
|
|
xenial |
Does not exist
|
|
Patches: upstream: https://github.com/php/php-src/commit/dce5e561a63fc970de722636ad8c09e9b079e8ae |
||
php8.0 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
impish |
Released
(8.0.8-1ubuntu0.2)
|
|
jammy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
php8.1 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Released
(8.1.2-1ubuntu1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(8.1.3)
|
|
xenial |
Does not exist
|
|
Patches: upstream: https://github.com/php/php-src/commit/82f1bf1b6bc3a43aba62214870e6d0931e93a6d9 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21708
- https://nakedsecurity.sophos.com/2022/02/18/irony-alert-php-fixes-security-flaw-in-input-validation-code/
- https://www.php.net/ChangeLog-8.php#PHP_8_1
- https://www.php.net/ChangeLog-7.php#PHP_7_4
- https://ubuntu.com/security/notices/USN-5303-1
- NVD
- Launchpad
- Debian