// For flags

CVE-2020-7071

FILTER_VALIDATE_URL accepts URLs with invalid userinfo

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.

En PHP versiones 7.3.x por debajo de 7.3.26, 7.4.x por debajo de 7.4.14 y 8.0.0, cuando se comprueba una URL con funciones como filter_var ($url, FILTER_VALIDATE_URL), PHP aceptará una URL con una contraseña no válida como una URL válida. Esto puede conllevar a funciones que dependen de que la URL sea válida para analizar inapropiadamente la URL y producir datos incorrectos como componentes de la URL

*Credits: Reported by jifan dot jf at alibaba-inc dot com
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-01-15 CVE Reserved
  • 2021-02-15 CVE Published
  • 2024-03-07 EPSS Updated
  • 2024-09-16 CVE Updated
  • 2024-09-16 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-20: Improper Input Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Php
Search vendor "Php"
Php
Search vendor "Php" for product "Php"
>= 7.3.0 < 7.3.26
Search vendor "Php" for product "Php" and version " >= 7.3.0 < 7.3.26"
-
Affected
Php
Search vendor "Php"
Php
Search vendor "Php" for product "Php"
>= 7.4.0 < 7.4.14
Search vendor "Php" for product "Php" and version " >= 7.4.0 < 7.4.14"
-
Affected
Php
Search vendor "Php"
Php
Search vendor "Php" for product "Php"
>= 8.0.0 < 8.0.1
Search vendor "Php" for product "Php" and version " >= 8.0.0 < 8.0.1"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Netapp
Search vendor "Netapp"
Clustered Data Ontap
Search vendor "Netapp" for product "Clustered Data Ontap"
--
Affected