CVE-2020-7071
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-7071
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7071.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-7071
- Aliases
- Downstream
- Related
- Published
- 2021-02-15T04:15:12Z
- Modified
- 2025-10-15T04:35:51Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filtervar($url, FILTERVALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.
- References
-
- https://bugs.php.net/bug.php?id=77423
- https://lists.debian.org/debian-lts-announce/2021/07/msg00008.html
- https://security.gentoo.org/glsa/202105-23
- https://security.netapp.com/advisory/ntap-20210312-0005/
- https://www.debian.org/security/2021/dsa-4856
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.tenable.com/security/tns-2021-14
Affected packages
Git / github.com/php/php-src
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"227590726783538602739410841003471904793",
"66680938880302284338338960787911270257",
"171183897526155539642673019964330521437",
"148221363525494540717156201398603599226",
"14027080294252728254363174975924474113",
"76883004995448503163927027256011056830",
"64543593176252355754339515403925011044",
"12108129512617529725365468371233867917",
"100947579209271428937666099495064218656",
"101484631618889424068088575429425243002",
"283402044833093694227510714613320421908"
]
},
"id": "CVE-2020-7071-bd47661d",
"source": "https://github.com/php/php-src/commit/d4f5aed22193106271510efd643ba8f349b7d85f",
"target": {
"file": "ext/standard/url.c"
}
},
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "104833949699379374291448524444507709786",
"length": 4481.0
},
"id": "CVE-2020-7071-fe94b820",
"source": "https://github.com/php/php-src/commit/d4f5aed22193106271510efd643ba8f349b7d85f",
"target": {
"function": "php_url_parse_ex2",
"file": "ext/standard/url.c"
}
}
]