CVE-2020-7071
FILTER_VALIDATE_URL accepts URLs with invalid userinfo
In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.
We have discovered 814,697 live websites that are affected by CVE-2020-7071.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Versions |
|
| Total Vulnerable Versions | 507 |
| Vulnerable Domains | 814,697 live websites (6.73% of PHP install base) |
Distribution by Website Rank
The diagram provides a graphic representation of the correlation between the occurrence of CVE-2020-7071 and the relative popularity of websitesDetails
- Published - Jan 4, 2021
- Updated - Oct 20, 2021
Credits
- Reported by jifan dot jf at alibaba-inc dot com
CWE
CVE References
CWE References
Countries
 United States | 315,609 websites |
 France | 244,476 websites |
 Germany | 19,214 websites |
 Canada | 18,826 websites |
 GB | 18,366 websites |
 Russia | 16,734 websites |
 Poland | 15,900 websites |
 Italy | 13,906 websites |
 China | 13,279 websites |
 Spain | 13,042 websites |
TLDs
| .com | 423,734 websites |
| .fr | 108,605 websites |
| .org | 49,385 websites |
| .net | 25,905 websites |
| .ru | 13,964 websites |
| .be | 13,013 websites |
| .pl | 12,395 websites |
| .co.uk | 11,473 websites |
| .de | 11,185 websites |
| .ca | 11,106 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redGeographical Distribution
The distribution of websites across the globe that are exposed to CVE-2020-7071 through included software libraries and plugins.References
- https://bugs.php.net/bug.php?id=77423
- https://www.debian.org/security/2021/dsa-4856
- https://security.gentoo.org/glsa/202105-23
- https://lists.debian.org/debian-lts-announce/2021/07/msg00008.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.tenable.com/security/tns-2021-14
- https://security.netapp.com/advisory/ntap-20210312-0005/
Websites affected by CVE-2020-7071
Top websites that are affected by CVE-2020-7071. Please click on the "Contact us" button above to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.*****.pl | Poland | *,*** | |
| *******.com | Germany | *,*** | |
| ***************.org | United States | *,*** | |
| ***.**.gov | United States | *,*** | |
| ******.com | France | *,*** | |
| **********.com | France | *,*** | |
| ********.org | United States | *,*** | |
| ***.*********.com | United States | *,*** | |
| ****.**********.***.uk | GB | *,*** | |
| ****.******.jp |  Japan | *,*** |