PT-2020-5867 · Php+9 · Php+9

Published

2020-07-06

·

Updated

2025-08-11

·

CVE-2020-7071

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions: PHP versions 7.3.x through 7.3.25 PHP versions 7.4.x through 7.4.13 PHP version 8.0.0
Description: The issue is related to insufficient input validation in PHP's URL validation functions, such as filter var($url, FILTER VALIDATE URL). This allows an attacker to provide a URL with an invalid password that is accepted as a valid URL. As a result, functions relying on the URL being valid may mis-parse the URL and produce incorrect data as components of the URL.
Recommendations: For PHP versions 7.3.x through 7.3.25, update to version 7.3.26 or later. For PHP versions 7.4.x through 7.4.13, update to version 7.4.14 or later. For PHP version 8.0.0, update to a later version that addresses this issue. As a temporary workaround, consider validating URLs using additional checks to ensure the password is valid before relying on the URL being valid.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALSA-2021:4213
ALT-PU-2021-1013
ALT-PU-2021-1070
ALT-PU-2021-3079
BDU:2021-01914
BIT-LIBPHP-2020-7071
BIT-PHP-2020-7071
BIT-PHP-MIN-2020-7071
CESA-2021_4213
CVE-2020-7071
DLA-2708-1
DLA-3833-1
DLA-3920-1
DSA-4856-1
MGASA-2021-0025
OESA-2021-1018
OPENSUSE-SU-2021:0101-1
OPENSUSE-SU-2021:0106-1
OPENSUSE-SU-2021_0101-1
OPENSUSE-SU-2021_0106-1
OPENSUSE-SU-2022_4067-1
OPENSUSE-SU-2022_4069-1
RHSA-2021:2992
RHSA-2021:4213
RHSA-2021_4213
RLSA-2021:4213
SUSE-SU-2021:0124-1
SUSE-SU-2021:0125-1
SUSE-SU-2021:0126-1
SUSE-SU-2021_0124-1
SUSE-SU-2021_0125-1
SUSE-SU-2021_0126-1
SUSE-SU-2022:4067-1
SUSE-SU-2022:4068-1
SUSE-SU-2022:4069-1
USN-5006-1
USN-5006-2

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Php
Red Hat
Rocky Linux
Suse
Ubuntu