Plattform
php
Komponente
php
Behoben in
7.3.26
7.4.14
8.0.1
CVE-2020-7071 is a vulnerability in PHP's URL validation process. It allows an attacker to craft a URL containing an invalid password that will be incorrectly validated as a legitimate URL by functions like filter_var. This can lead to misinterpretation of URL components and potentially unexpected behavior in applications relying on URL validation. The vulnerability impacts PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14, and 8.0.0, and a patch is available in PHP 8.0.1.
An attacker can exploit CVE-2020-7071 by crafting a URL containing an invalid password and passing it to a PHP function that relies on URL validation. Because the validation function incorrectly identifies this URL as valid, subsequent code that processes the URL may misinterpret its components, leading to unexpected behavior or data errors. While this vulnerability does not directly lead to code execution, it can be exploited to manipulate application logic and potentially gain unauthorized access to data or functionality. The impact is particularly concerning in applications that rely on URL validation for security purposes, such as authentication or authorization.
CVE-2020-7071 was published on February 15, 2021. There are currently no publicly known active campaigns exploiting this vulnerability. No public Proof-of-Concept (POC) code has been widely released. The vulnerability's severity is rated as MEDIUM based on the CVSS score. It is not currently listed on CISA’s Known Exploited Vulnerabilities catalog (KEV).
Exploit-Status
EPSS
7.00% (91% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2020-7071 is to upgrade to PHP version 8.0.1 or later. If upgrading is not immediately feasible, implement additional validation checks on the URL after it has been validated by filter_var(). This could involve verifying the URL scheme, hostname, and path to ensure that it conforms to expected patterns. Consider using a more robust URL parsing library that provides more accurate and reliable validation. After upgrading, confirm the fix by attempting to validate a URL containing an invalid password and verifying that it is correctly identified as invalid.
Actualice a la última versión de PHP. Específicamente, actualice a la versión 7.3.26 o superior, 7.4.14 o superior, o 8.0.1 o superior. Esto corregirá la vulnerabilidad en la función de validación de URL.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Versions 7.3.x below 7.3.26, 7.4.x below 7.4.14, and 8.0.0 are vulnerable to CVE-2020-7071.
Check the PHP version installed on your server. If it's one of the mentioned versions, it's likely vulnerable.
Implement additional validations in your code to verify the validity of URLs before using them, such as stricter regular expressions.
Any string of characters that is interpreted as an invalid password in the context of URL validation.
You can find more information in the PHP security advisory and vulnerability databases like CVE.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.