CVE-2021-21708
Published: 31 December 2021
In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.
Notes
| Author | Note |
|---|---|
| sbeattie | PEAR issues should go against php-pear as of xenial |
| rodrigo-zaiden | the issue was introduced in PHP 7.4, seems like it was in commit https://github.com/php/php-src/commit/07df6594 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
php5 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Not vulnerable
(code not present)
|
|
| xenial |
Does not exist
|
|
|
php7.0 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(code not present)
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
php7.2 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| focal |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(code not present)
|
|
| xenial |
Does not exist
|
|
|
php7.4 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Released
(7.4.3-4ubuntu2.9)
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(7.4.28)
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/php/php-src/commit/dce5e561a63fc970de722636ad8c09e9b079e8ae |
||
|
php8.0 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| impish |
Released
(8.0.8-1ubuntu0.2)
|
|
| jammy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
php8.1 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Released
(8.1.2-1ubuntu1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(8.1.3)
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/php/php-src/commit/82f1bf1b6bc3a43aba62214870e6d0931e93a6d9 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://nakedsecurity.sophos.com/2022/02/18/irony-alert-php-fixes-security-flaw-in-input-validation-code/
- https://www.php.net/ChangeLog-8.php#PHP_8_1
- https://www.php.net/ChangeLog-7.php#PHP_7_4
- https://ubuntu.com/security/notices/USN-5303-1
- https://www.cve.org/CVERecord?id=CVE-2021-21708
- NVD
- Launchpad
- Debian