CVE-2021-21702 — NULL Pointer Dereference in Group PHP

CWE-476 — NULL Pointer Dereference16 documents8 sources

Severity

7.5HIGHNVD

CNA5.3

EPSS

0.3%

top 49.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP PHP Oracle Communications Diameter Signaling Router +1 more

Timeline

PublishedFeb 15

Latest updateMay 2

Description

In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDphp/php7.3.0 — 7.3.27+2

▶CVEListV5php_group/php7.3.x — 7.3.27+2

▶NVDoracle/communications_diameter_signaling_router8.0.0 — 8.5.0

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

linux-xilinx-zynqmp vulnerabilities↗2025-05-02

▶

OSV

linux-azure-fips, linux-fips, linux-gcp-fips vulnerabilities↗2025-04-24

▶

OSV

linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-iot vulnerabilities↗2025-04-24

▶

OSV

linux-aws-fips vulnerabilities↗2025-04-24

▶

OSV

linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4 vulnerabilities↗2025-04-24

▶

📋Vendor Advisories

Ubuntu

PHP vulnerabilities↗2021-07-13

▶

Ubuntu

PHP vulnerabilities↗2021-07-07

▶

Microsoft

Null Dereference in SoapClient↗2021-02-09

▶

Red Hat

php: NULL pointer dereference in SoapClient↗2021-01-26

▶

Debian

CVE-2021-21702: php7.4 - In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, wh...↗2021

▶