Description
In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.
Exploits (1)
References (5)
Core 5
Core References
Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5082
Issue Tracking, Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html
Exploit, Issue Tracking, Patch, Release Notes, Vendor Advisory
https://bugs.php.net/bug.php?id=79971
Third Party Advisory
https://security.netapp.com/advisory/ntap-20211223-0005/
Patch, Release Notes, Third Party Advisory
https://www.tenable.com/security/tns-2022-09
Scores
CVSS v3
5.3
EPSS
0.0056
EPSS Percentile
68.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-159
Status
published
Products (5)
debian/debian_linux
10.0
debian/debian_linux
11.0
netapp/clustered_data_ontap
php/php
7.3.0 - 7.3.33
tenable/tenable.sc
< 5.21.0
Published
Nov 29, 2021
Tracked Since
Feb 18, 2026