CVE-2021-21707 - OpenCVE

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Netapp	Clustered Data Ontap
Debian	Debian Linux
Php	Php
Tenable	Tenable.sc

Configuration 1 [-]

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::

Configuration 2 [-]

cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 4 [-]

cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*

References

Link	Resource
https://bugs.php.net/bug.php?id=79971	Exploit Issue Tracking Patch Release Notes Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html	Issue Tracking Mailing List
https://security.netapp.com/advisory/ntap-20211223-0005/	Third Party Advisory
https://www.debian.org/security/2022/dsa-5082	Third Party Advisory
https://www.tenable.com/security/tns-2022-09	Patch Release Notes Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: php

Published: 2021-11-15T00:00:00

Updated: 2022-12-15T00:00:00

Reserved: 2021-01-04T00:00:00

Link: CVE-2021-21707

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-11-29T07:15:06.397

Modified: 2023-02-16T03:07:25.807

Link: CVE-2021-21707

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-21707", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "assignerShortName": "php", "datePublished": "2021-11-15T00:00:00", "dateUpdated": "2022-12-15T00:00:00", "dateReserved": "2021-01-04T00:00:00"}, "containers": {"cna": {"title": "Special characters break path parsing in XML functions", "datePublic": "2021-11-15T00:00:00", "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2022-12-15T00:00:00"}, "descriptions": [{"lang": "en", "value": "In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended."}], "affected": [{"vendor": "PHP Group", "product": "PHP", "versions": [{"version": "7.3.x", "status": "affected", "lessThan": "7.3.33", "versionType": "custom"}, {"version": "7.4.x", "status": "affected", "lessThan": "7.4.26", "versionType": "custom"}, {"version": "8.0.X", "status": "affected", "lessThan": "8.0.13", "versionType": "custom"}]}], "references": [{"url": "https://bugs.php.net/bug.php?id=79971"}, {"url": "https://security.netapp.com/advisory/ntap-20211223-0005/"}, {"name": "DSA-5082", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5082"}, {"url": "https://www.tenable.com/security/tns-2022-09"}, {"name": "[debian-lts-announce] 20221215 [SECURITY] [DLA 3243-1] php7.3 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"}], "credits": [{"lang": "en", "value": "Reported by rawataman6525 at gmail dot com"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-159 Failure to Sanitize Special Element", "cweId": "CWE-159"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "https://bugs.php.net/bug.php?id=79971", "defect": ["https://bugs.php.net/bug.php?id=79971"], "discovery": "EXTERNAL"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "C87BA6C9-B0C3-4039-8F77-C310B1879FA5", "versionEndExcluding": "7.3.33", "versionStartIncluding": "7.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "83EEF959-AE5C-43C0-AF21-535B813E5DC6", "versionEndExcluding": "7.4.26", "versionStartIncluding": "7.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "60FBEAE8-F094-420B-8282-AFC3C33ABF28", "versionEndExcluding": "8.0.13", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", "matchCriteriaId": "1FE996B1-6951-4F85-AA58-B99A379D2163", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*", "matchCriteriaId": "CAB9A41F-91F1-40DF-BF12-6ADA7229A84C", "versionEndExcluding": "5.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended."}, {"lang": "es", "value": "En PHP versiones 7.3.x anteriores a 7.3.33, 7.4.x anteriores a 7.4.26 y 8.0.x anteriores a 8.0.13, determinadas funciones de an\u00e1lisis de XML, como simplexml_load_file(), decodifican el nombre de archivo que les es pasado. Si ese nombre de archivo contiene un car\u00e1cter NUL codificado en la URL, esto puede causar que la funci\u00f3n lo interprete como el final del nombre de archivo, interpretando as\u00ed el nombre de archivo de forma diferente a la que el usuario pretend\u00eda, lo que puede conllevar a una lectura de un archivo diferente al deseado"}], "id": "CVE-2021-21707", "lastModified": "2023-02-16T03:07:25.807", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@php.net", "type": "Secondary"}]}, "published": "2021-11-29T07:15:06.397", "references": [{"source": "security@php.net", "tags": ["Exploit", "Issue Tracking", "Patch", "Release Notes", "Vendor Advisory"], "url": "https://bugs.php.net/bug.php?id=79971"}, {"source": "security@php.net", "tags": ["Issue Tracking", "Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20211223-0005/"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5082"}, {"source": "security@php.net", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://www.tenable.com/security/tns-2022-09"}], "sourceIdentifier": "security@php.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-159"}], "source": "security@php.net", "type": "Secondary"}]}