Oracle Linux: CVE-2021-21705: ELSA-2022-1935: php:7.4 security update (MODERATE) (Multiple Advisories)
Description
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision. A flaw was found in php. Currently, php's FILTER_VALIDATE_URL check doesn't recognize some non-compliant RFC 3986 URLs and returns them as valid. This flaw allows an attacker to craft URLs, which depending on how the URL filter checking is used on the application side, lead to Server Side Request Forgery. This issue presents an integrity risk for the application, as eventually, the attacker can manipulate resources that shouldn't be fully available for users.
Solution(s)
- oracle-linux-upgrade-apcu-panel
- oracle-linux-upgrade-libzip
- oracle-linux-upgrade-libzip-devel
- oracle-linux-upgrade-libzip-tools
- oracle-linux-upgrade-php
- oracle-linux-upgrade-php-bcmath
- oracle-linux-upgrade-php-cli
- oracle-linux-upgrade-php-common
- oracle-linux-upgrade-php-dba
- oracle-linux-upgrade-php-dbg
- oracle-linux-upgrade-php-devel
- oracle-linux-upgrade-php-embedded
- oracle-linux-upgrade-php-enchant
- oracle-linux-upgrade-php-ffi
- oracle-linux-upgrade-php-fpm
- oracle-linux-upgrade-php-gd
- oracle-linux-upgrade-php-gmp
- oracle-linux-upgrade-php-intl
- oracle-linux-upgrade-php-json
- oracle-linux-upgrade-php-ldap
- oracle-linux-upgrade-php-mbstring
- oracle-linux-upgrade-php-mysqlnd
- oracle-linux-upgrade-php-odbc
- oracle-linux-upgrade-php-opcache
- oracle-linux-upgrade-php-pdo
- oracle-linux-upgrade-php-pear
- oracle-linux-upgrade-php-pecl-apcu
- oracle-linux-upgrade-php-pecl-apcu-devel
- oracle-linux-upgrade-php-pecl-rrd
- oracle-linux-upgrade-php-pecl-xdebug
- oracle-linux-upgrade-php-pecl-zip
- oracle-linux-upgrade-php-pgsql
- oracle-linux-upgrade-php-process
- oracle-linux-upgrade-php-snmp
- oracle-linux-upgrade-php-soap
- oracle-linux-upgrade-php-xml
- oracle-linux-upgrade-php-xmlrpc
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center