CVE-2021-21707
Special characters break path parsing in XML functions
In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.
We have discovered 1,044,385 live websites that are affected by CVE-2021-21707.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Versions |
|
| Total Vulnerable Versions | 507 |
| Vulnerable Domains | 1,044,385 live websites (8.63% of PHP install base) |
Distribution by Website Rank
The diagram provides a graphic representation of the correlation between the occurrence of CVE-2021-21707 and the relative popularity of websitesDetails
- Published - Nov 15, 2021
- Updated - Dec 15, 2022
Credits
- Reported by rawataman6525 at gmail dot com
CWE
CVE References
CWE References
Countries
 United States | 369,155 websites |
 France | 259,809 websites |
 Russia | 40,552 websites |
 Germany | 31,120 websites |
 GB | 23,678 websites |
 Canada | 22,380 websites |
 Brazil | 21,029 websites |
 Spain | 19,496 websites |
 Argentina | 19,408 websites |
 Poland | 19,229 websites |
TLDs
| .com | 504,943 websites |
| .fr | 114,875 websites |
| .org | 58,350 websites |
| .ru | 32,907 websites |
| .net | 32,270 websites |
| .de | 19,256 websites |
| .com.br | 17,060 websites |
| .pl | 14,749 websites |
| .be | 14,310 websites |
| .it | 14,215 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redGeographical Distribution
The distribution of websites across the globe that are exposed to CVE-2021-21707 through included software libraries and plugins.References
- https://bugs.php.net/bug.php?id=79971
- https://security.netapp.com/advisory/ntap-20211223-0005/
- https://www.debian.org/security/2022/dsa-5082
- https://www.tenable.com/security/tns-2022-09
- https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html
Websites affected by CVE-2021-21707
Top websites that are affected by CVE-2021-21707. Please click on the "Contact us" button above to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.com | United States | *,*** | |
| ***.*****.pl | Poland | *,*** | |
| *******.com | Germany | *,*** | |
| ****.org | GB | *,*** | |
| ***************.org | United States | *,*** | |
| ***.ly | United States | *,*** | |
| **********.org | United States | *,*** | |
| ***.**.gov | United States | *,*** | |
| ***.**********.org | United States | *,*** | |
| ******.com | France | *,*** |