CVE-2021-21705

Name	CVE-2021-21705
Description	In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2708-1, DSA-4935-1
Debian Bugs	990575

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
php7.4 (PTS)	bullseye	7.4.33-1+deb11u5	fixed
	bullseye (security)	7.4.33-1+deb11u8	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
php7.0	source	stretch	7.0.33-0+deb9u11	DLA-2708-1
php7.0	source	(unstable)	(unfixed)
php7.3	source	buster	7.3.29-1~deb10u1	DSA-4935-1
php7.3	source	(unstable)	(unfixed)
php7.4	source	(unstable)	7.4.21-1+deb11u1
php8.0	source	(unstable)	8.0.8-1		990575

Fixed in 8.0.8, 7.4.21, 7.3.29
PHP Bug: https://bugs.php.net/81122