CVE-2021-21705
Incorrect URL validation in FILTER_VALIDATE_URL
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.
We have discovered 922,016 live websites that are affected by CVE-2021-21705.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Versions |
|
| Total Vulnerable Versions | 507 |
| Vulnerable Domains | 922,016 live websites (7.62% of PHP install base) |
Distribution by Website Rank
The diagram provides a graphic representation of the correlation between the occurrence of CVE-2021-21705 and the relative popularity of websitesDetails
- Published - Jun 28, 2021
- Updated - Sep 29, 2022
Credits
- reported by vi at hackberry dot xyz
CWE
CVE References
CWE References
Countries
 United States | 344,487 websites |
 France | 249,328 websites |
 Germany | 28,358 websites |
 Russia | 25,777 websites |
 GB | 21,797 websites |
 Canada | 21,051 websites |
 Poland | 18,158 websites |
 Italy | 17,574 websites |
 Spain | 17,058 websites |
 China | 15,263 websites |
TLDs
| .com | 463,464 websites |
| .fr | 110,652 websites |
| .org | 53,409 websites |
| .net | 28,805 websites |
| .ru | 20,916 websites |
| .de | 17,482 websites |
| .pl | 13,938 websites |
| .be | 13,683 websites |
| .co.uk | 13,201 websites |
| .it | 13,061 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redGeographical Distribution
The distribution of websites across the globe that are exposed to CVE-2021-21705 through included software libraries and plugins.References
- https://bugs.php.net/bug.php?id=81122
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://security.netapp.com/advisory/ntap-20211029-0006/
- https://security.gentoo.org/glsa/202209-20
Websites affected by CVE-2021-21705
Top websites that are affected by CVE-2021-21705. Please click on the "Contact us" button above to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.*****.pl | Poland | *,*** | |
| *******.com | Germany | *,*** | |
| ****.org | GB | *,*** | |
| ***************.org | United States | *,*** | |
| ***.ly | United States | *,*** | |
| **********.org | United States | *,*** | |
| ***.**.gov | United States | *,*** | |
| ******.com | France | *,*** | |
| **********.com | France | *,*** | |
| ********.org | United States | *,*** |