CVE-2021-21707
Published: 29 November 2021
Summary
CVE-2021-21707 is a medium-severity Improper Handling of Invalid Use of Special Elements (CWE-159) vulnerability in Php Php. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 31.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-8879
Vulnerability details
In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this…
more
as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.