QwikSec

Security Database

CVE

CWE

Training

CVE-2020-7071

Published: Feb 15, 2021

Modified: Sep 16, 2024

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.

Vendor	Product	Versions
PHP Group	PHP	affected `7.3.x - < 7.3.26` affected `7.4.x - < 7.4.14` affected `8.0.X - < 8.0.1`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://bugs.php.net/bug.php?id=77423

x_refsource_MISC

vendor-advisory

x_refsource_DEBIAN

vendor-advisory

x_refsource_GENTOO

[debian-lts-announce] 20210715 [SECURITY] [DLA 2708-1] php7.0 security update

mailing-list

x_refsource_MLIST

https://www.oracle.com/security-alerts/cpuoct2021.html

x_refsource_MISC

https://www.tenable.com/security/tns-2021-14

x_refsource_CONFIRM

https://security.netapp.com/advisory/ntap-20210312-0005/

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.