CVE-2021-21707

Sažetak

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.

Reference

https://bugs.php.net/bug.php?id=79971
https://security.netapp.com/advisory/ntap-20211223-0005/
https://www.debian.org/security/2022/dsa-5082
https://www.tenable.com/security/tns-2022-09
https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:N/A:N

Zadnje važnije ažuriranje

16-02-2023 - 03:07

Objavljeno

29-11-2021 - 07:15