CVE-2021-21707

Name of the Vulnerable Software and Affected Versions PHP versions 7.3.x through 7.3.32 PHP versions 7.4.x through 7.4.25 PHP versions 8.0.x through 8.0.12

Description The issue is related to certain XML parsing functions in PHP, such as simplexml load file(), which URL-decode the filename passed to them. If the filename contains a URL-encoded NUL character, this may cause the function to interpret it as the end of the filename, leading to the function reading a different file than intended. This could allow a remote attacker to gain unauthorized access to protected information.

Recommendations For PHP versions 7.3.x through 7.3.32, update to version 7.3.33 or later. For PHP versions 7.4.x through 7.4.25, update to version 7.4.26 or later. For PHP versions 8.0.x through 8.0.12, update to version 8.0.13 or later. As a temporary workaround, consider avoiding the use of URL-encoded NUL characters in filenames passed to simplexml load file() and other affected XML parsing functions.