{"id":"BIT-php-2021-21705","summary":"Incorrect URL validation in FILTER_VALIDATE_URL","details":"In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.","aliases":["BIT-libphp-2021-21705","BIT-php-min-2021-21705","CVE-2021-21705"],"modified":"2025-08-11T14:45:05.338166Z","published":"2024-03-06T11:05:02.602Z","database_specific":{"severity":"Medium","cpes":["cpe:2.3:a:php:php:*:*:*:*:*:*:*:*"]},"references":[{"type":"WEB","url":"https://bugs.php.net/bug.php?id=81122"},{"type":"WEB","url":"https://security.gentoo.org/glsa/202209-20"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20211029-0006/"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21705"}],"affected":[{"package":{"name":"php","ecosystem":"Bitnami","purl":"pkg:bitnami/php"},"ranges":[{"type":"SEMVER","events":[{"introduced":"7.3.0"},{"fixed":"7.3.29"},{"introduced":"7.4.0"},{"fixed":"7.4.21"},{"introduced":"8.0.0"},{"fixed":"8.0.8"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/php/BIT-php-2021-21705.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}],"schema_version":"1.7.3"}