CVE-2021-21708 - OpenCVE

In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Php	Php

Configuration 1 [-]

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::

References

Link	Resource
https://bugs.php.net/bug.php?id=81708	Exploit Issue Tracking Patch Vendor Advisory
https://security.gentoo.org/glsa/202209-20	Third Party Advisory
https://security.netapp.com/advisory/ntap-20220325-0004/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: php

Published: 2022-02-14T00:00:00

Updated: 2022-09-29T16:06:49

Reserved: 2021-01-04T00:00:00

Link: CVE-2021-21708

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-02-27T08:15:06.817

Modified: 2022-10-07T14:31:22.470

Link: CVE-2021-21708

JSON object: View

Redhat Information

No data.

CWE

CWE-416

{"containers": {"cna": {"affected": [{"product": "PHP", "vendor": "PHP Group", "versions": [{"lessThan": "7.4.28", "status": "affected", "version": "7.4.x", "versionType": "custom"}, {"lessThan": "8.0.16", "status": "affected", "version": "8.0.X", "versionType": "custom"}, {"lessThan": "8.1.3", "status": "affected", "version": "8.1.X", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "dukk at softdev dot online"}], "datePublic": "2022-02-14T00:00:00", "descriptions": [{"lang": "en", "value": "In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-29T16:06:49", "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugs.php.net/bug.php?id=81708"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220325-0004/"}, {"name": "GLSA-202209-20", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202209-20"}], "source": {"defect": ["https://bugs.php.net/bug.php?id=81708"], "discovery": "EXTERNAL"}, "title": "UAF due to php_filter_float() failing", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@php.net", "DATE_PUBLIC": "2022-02-14T08:00:00.000Z", "ID": "CVE-2021-21708", "STATE": "PUBLIC", "TITLE": "UAF due to php_filter_float() failing"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PHP", "version": {"version_data": [{"version_affected": "<", "version_name": "7.4.x", "version_value": "7.4.28"}, {"version_affected": "<", "version_name": "8.0.X", "version_value": "8.0.16"}, {"version_affected": "<", "version_name": "8.1.X", "version_value": "8.1.3"}]}}]}, "vendor_name": "PHP Group"}]}}, "credit": [{"lang": "eng", "value": "dukk at softdev dot online"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-416 Use After Free"}]}]}, "references": {"reference_data": [{"name": "https://bugs.php.net/bug.php?id=81708", "refsource": "MISC", "url": "https://bugs.php.net/bug.php?id=81708"}, {"name": "https://security.netapp.com/advisory/ntap-20220325-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220325-0004/"}, {"name": "GLSA-202209-20", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202209-20"}]}, "source": {"defect": ["https://bugs.php.net/bug.php?id=81708"], "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "assignerShortName": "php", "cveId": "CVE-2021-21708", "datePublished": "2022-02-14T00:00:00", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2022-09-29T16:06:49", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "07B88F14-3867-49F4-8BE6-64E1D98927AB", "versionEndExcluding": "7.4.28", "versionStartIncluding": "7.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC80C1D0-09AC-43B1-A653-7ECFB37DC42E", "versionEndExcluding": "8.0.16", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7E795BC-F012-4904-B445-D76E358EC66D", "versionEndExcluding": "8.1.3", "versionStartIncluding": "8.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits."}, {"lang": "es", "value": "En PHP versiones 7.4.x anteriores a 7.4.28, versiones 8.0.x anteriores a 8.0.16 y versiones 8.1.x anteriores a 8.1.3, cuando son usados funciones de filtrado con el filtro FILTER_VALIDATE_FLOAT y los l\u00edmites m\u00ednimo/m\u00e1ximo, si el filtro falla, se presenta la posibilidad de que sea activado el uso de la memoria asignada despu\u00e9s de liberarla, lo que puede resultar en un bloqueo, y potencialmente la sobreescritura de otros trozos de memoria y RCE. Este problema afecta a: el c\u00f3digo que usa FILTER_VALIDATE_FLOAT con l\u00edmites m\u00edn/m\u00e1x."}], "id": "CVE-2021-21708", "lastModified": "2022-10-07T14:31:22.470", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security@php.net", "type": "Secondary"}]}, "published": "2022-02-27T08:15:06.817", "references": [{"source": "security@php.net", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugs.php.net/bug.php?id=81708"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202209-20"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220325-0004/"}], "sourceIdentifier": "security@php.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "security@php.net", "type": "Secondary"}]}