BIT-php-2021-21707

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/php/BIT-php-2021-21707.json
JSON Data
https://api.test.osv.dev/v1/vulns/BIT-php-2021-21707
Aliases
Published
2024-03-06T11:04:43.087Z
Modified
2024-03-06T11:25:28.861Z
Summary
[none]
Details

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexmlloadfile(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.

Database specific
{
    "cpes": [
        "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}
References

Affected packages

Bitnami / php

Package

Name
php
Purl
pkg:bitnami/php

Severity

  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
7.3.0
Fixed
7.3.33
Introduced
7.4.0
Fixed
7.4.26
Introduced
8.0.0
Fixed
8.0.13