CVE-2021-21705
published 2021-10-04CVE-2021-21705: In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with…
PriorityP432medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
1.94%
77.7th percentile
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php7.4 | < php7.4 7.4.21-1+deb11u1 (bullseye) | php7.4 7.4.21-1+deb11u1 (bullseye) |
| msrc | cbl2_php_on_cbl_mariner_2.0 | — | — |
| oracle | sd-wan_aware | — | — |
| php | php | >= 7.3.0 < 7.3.29 | 7.3.29 |
| php | php | >= 7.4.0 < 7.4.21 | 7.4.21 |
| php | php | >= 8.0.0 < 8.0.8 | 8.0.8 |
| php5 | php5 | >= 0 < 5.5.9+dfsg-1ubuntu4.29+esm14 | 5.5.9+dfsg-1ubuntu4.29+esm14 |
| php_group | php | >= 7.3.x < 7.3.29 | 7.3.29 |
| php_group | php | >= 7.4.x < 7.4.21 | 7.4.21 |
| php_group | php | >= 8.0.X < 8.0.8 | 8.0.8 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.3MEDIUM
vendor_oracle5.3MEDIUM
vendor_ubuntu4.8MEDIUM
vendor_debian4.3MEDIUM
vendor_msrc4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Festo Didactic SE MES PC
cisa_ics·2026-01-27·CVSS 7.5
[HIGH] Festo Didactic SE MES PC
ICS Advisory
##
Festo Didactic SE MES PC
Release DateJanuary 27, 2026
Alert CodeICSA-26-027-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
MES PCs shipped with Windows 10 come pre-installed with XAMPP. XAMPP is a bundle of third-party open-source applications including the Apache HTTP Server, the MariaDB database and more. From time to time, vulnerabilities in these applications are discovered. These are fixed in newer versions of XAMPP by updating the bundled applications. MES PCs shipped with Windows 10 include a copy of XAMPP which contains around 140 such vulnerabilities listed in this advisory. They can be fixed by replacing XAMPP with Festo Didactic's Factory Control Panel application.
The
Oracle
Oracle Oracle Communications Risk Matrix: Management (PHP) — CVE-2021-21705
vendor_oracle·2022-01-15·CVSS 5.3
CVE-2021-21705 [MEDIUM] Oracle Oracle Communications Risk Matrix: Management (PHP) — CVE-2021-21705
Oracle Oracle Communications Risk Matrix: Management (PHP) vulnerability
CVE: CVE-2021-21705
CVSS: 5.3
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2022 (JAN 2022)
Microsoft
Incorrect URL validation in FILTER_VALIDATE_URL
vendor_msrc·2021-10-12·CVSS 4.3
CVE-2021-21705 [MEDIUM] CWE-20 Incorrect URL validation in FILTER_VALIDATE_URL
Incorrect URL validation in FILTER_VALIDATE_URL
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
php: php
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.c
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2021-07-13·CVSS 4.8
CVE-2021-21702 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
USN-5006-1 fixed several vulnerabilities in PHP. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that PHP incorrectly handled certain PHAR files. A remote
attacker could possibly use this issue to cause PHP to crash, resulting in
a denial of service, or possibly obtain sensitive information. (CVE-2020-7068)
It was discovered that PHP incorrectly handled parsing URLs with passwords.
A remote attacker could possibly use this issue to cause PHP to mis-parse
the URL and produce wrong data. (CVE-2020-7071)
It was discovered that PHP incorrectly handled certain malformed XML data
when being parsed by the SOAP extension. A remot
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2021-07-07·CVSS 4.8
CVE-2020-7071 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that PHP incorrectly handled certain PHAR files. A remote
attacker could possibly use this issue to cause PHP to crash, resulting in
a denial of service, or possibly obtain sensitive information. This issue
only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-7068)
It was discovered that PHP incorrectly handled parsing URLs with passwords.
A remote attacker could possibly use this issue to cause PHP to mis-parse
the URL and produce wrong data. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, and Ubuntu 20.10. (CVE-2020-7071)
It was discovered that PHP incorrectly handled certain malformed XML data
when being parsed by the SOAP extension. A remote attacker could possibl
Red Hat
php: SSRF bypass in FILTER_VALIDATE_URL
vendor_redhat·2021-07-01·CVSS 4.3
CVE-2021-21705 [MEDIUM] CWE-918 php: SSRF bypass in FILTER_VALIDATE_URL
php: SSRF bypass in FILTER_VALIDATE_URL
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.
A flaw was found in php. Currently, php's FILTER_VALIDATE_URL check doesn't recognize some non-compliant RFC 3986 URLs and returns them as valid. This flaw allows an attacker to craft URLs, which depending on how the URL filter checking is used on the application side, lead to Server Side Request Forgery. This issue presents an integrity
Debian
CVE-2021-21705: php7.4 - In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, wh...
vendor_debian·2021·CVSS 4.3
CVE-2021-21705 [MEDIUM] CVE-2021-21705: php7.4 - In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, wh...
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.
Scope: local
bullseye: resolved (fixed in 7.4.21-1+deb11u1)
GHSA
GHSA-rxcr-7xjm-f9c9: In PHP versions 7
ghsa_unreviewed·2022-05-24
CVE-2021-21705 [MEDIUM] CWE-20 GHSA-rxcr-7xjm-f9c9: In PHP versions 7
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.
OSV
CVE-2021-21705: In PHP versions 7
osv·2021-10-04·CVSS 5.3
CVE-2021-21705 [MEDIUM] CVE-2021-21705: In PHP versions 7
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.
OSV
php5, php7.0 vulnerabilities
osv·2021-07-13·CVSS 3.6
CVE-2020-7068 [LOW] php5, php7.0 vulnerabilities
php5, php7.0 vulnerabilities
USN-5006-1 fixed several vulnerabilities in PHP. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that PHP incorrectly handled certain PHAR files. A remote
attacker could possibly use this issue to cause PHP to crash, resulting in
a denial of service, or possibly obtain sensitive information. (CVE-2020-7068)
It was discovered that PHP incorrectly handled parsing URLs with passwords.
A remote attacker could possibly use this issue to cause PHP to mis-parse
the URL and produce wrong data. (CVE-2020-7071)
It was discovered that PHP incorrectly handled certain malformed XML data
when being parsed by the SOAP extension. A remote attacker could possibly
use this issue to cause P
OSV
php7.2, php7.4 vulnerabilities
osv·2021-07-07·CVSS 3.6
CVE-2020-7068 [LOW] php7.2, php7.4 vulnerabilities
php7.2, php7.4 vulnerabilities
It was discovered that PHP incorrectly handled certain PHAR files. A remote
attacker could possibly use this issue to cause PHP to crash, resulting in
a denial of service, or possibly obtain sensitive information. This issue
only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-7068)
It was discovered that PHP incorrectly handled parsing URLs with passwords.
A remote attacker could possibly use this issue to cause PHP to mis-parse
the URL and produce wrong data. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, and Ubuntu 20.10. (CVE-2020-7071)
It was discovered that PHP incorrectly handled certain malformed XML data
when being parsed by the SOAP extension. A remote attacker could possibly
use this issue to cause PHP to crash, resulting
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugs.php.net/bug.php?id=81122https://security.gentoo.org/glsa/202209-20https://security.netapp.com/advisory/ntap-20211029-0006/https://www.oracle.com/security-alerts/cpujan2022.htmlhttps://bugs.php.net/bug.php?id=81122https://security.gentoo.org/glsa/202209-20https://security.netapp.com/advisory/ntap-20211029-0006/https://www.oracle.com/security-alerts/cpujan2022.html
2021-10-04
Published