Cyber Resilience

CVE-2021-21707

MediumPublic PoC

Published: 29 November 2021

Published
29 November 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0056 68.8th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-21707 is a medium-severity Improper Handling of Invalid Use of Special Elements (CWE-159) vulnerability in Php Php. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 31.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this…

more

as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

php
php
7.3.0 — 7.3.33 · 7.4.0 — 7.4.26 · 8.0.0 — 8.0.13
netapp
clustered data ontap
all versions
debian
debian linux
10.0, 11.0
tenable
tenable.sc
≤ 5.21.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References