CVE-2021-21707

CVE-2021-21707 php: special character breaks path in xml parsing

Publication Date 2021-11-15
Severity High
Type Information Disclosure
Affected PHP Versions
  • 5.6.0 - 5.6.40
  • 7.1.0 - 7.1.33
  • 7.2.0 - 7.2.34
  • 7.3.0 - 7.3.32
  • 7.4.0 - 7.4.25
  • 8.0.0 - 8.0.12
Fixed Product Versions
  • ZendPHP 5.6
  • ZendPHP 7.1
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendServer 2021.1.1

CVE Details

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended. The main cause of this vulnerability is improper input validation while parsing an Extensible Markup Language(XML) entity. A special character could allow an attacker to traverse directories. The highest threat from this vulnerability is to confidentiality and integrity.

Recommendations

If you are parsing XML in your applications, upgrade to PHP 7.3.33 or above, 7.4.26 or above, or 8.0.13 or above.

If you cannot upgrade immediately, ensure any user-supplied filenames are URL-decoded (e.g., $decodedFilename = urldecode($filename); before you pass them to an XML parsing function such as simplexml_load_file().