CVE-2020-7071 — Improper Input Validation in Group PHP

CWE-20 — Improper Input Validation11 documents8 sources

Severity

5.3MEDIUMNVD

EPSS

7.0%

top 8.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP PHP Debian Linux

Timeline

PublishedFeb 15

Latest updateMay 24

Description

In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDphp/php7.3.0 — 7.3.26+2

▶CVEListV5php_group/php7.3.x — 7.3.26+2

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-grxx-qh3p-vx7g: In PHP versions 7↗2022-05-24

▶

OSV

php5, php7.0 vulnerabilities↗2021-07-13

▶

OSV

php7.2, php7.4 vulnerabilities↗2021-07-07

▶

CVEList

FILTER_VALIDATE_URL accepts URLs with invalid userinfo↗2021-02-15

▶

OSV

CVE-2020-7071: In PHP versions 7↗2021-02-15

▶

📋Vendor Advisories

Ubuntu

PHP vulnerabilities↗2021-07-13

▶

Ubuntu

PHP vulnerabilities↗2021-07-07

▶

Microsoft

FILTER_VALIDATE_URL accepts URLs with invalid userinfo↗2021-02-09

▶

Red Hat

php: FILTER_VALIDATE_URL accepts URLs with invalid userinfo↗2021-01-03

▶

Debian

CVE-2020-7071: php7.4 - In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validatin...↗2020

▶