CVE-2021-21702 — MEDIUM (5.3)

Q: How severe is CVE-2021-21702?

CVE-2021-21702 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-21702?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Debian Debian Linux, Netapp Clustered Data Ontap, Oracle Communications Diameter Signaling Router.

Vulnerability Description

In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Php	Php	>= 7.3.0, < 7.3.27
Debian	Debian Linux	9.0
Netapp	Clustered Data Ontap	-
Oracle	Communications Diameter Signaling Router	>= 8.0.0, <= 8.5.0

Related Weaknesses (CWE)

CWE-476

References

https://bugs.php.net/bug.php?id=80672Issue TrackingVendor Advisory
https://lists.debian.org/debian-lts-announce/2021/07/msg00008.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/202105-23Third Party Advisory
https://security.netapp.com/advisory/ntap-20210312-0005/Third Party Advisory
https://www.debian.org/security/2021/dsa-4856Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
https://www.tenable.com/security/tns-2021-14Third Party Advisory
https://bugs.php.net/bug.php?id=80672Issue TrackingVendor Advisory
https://lists.debian.org/debian-lts-announce/2021/07/msg00008.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/202105-23Third Party Advisory
https://security.netapp.com/advisory/ntap-20210312-0005/Third Party Advisory
https://www.debian.org/security/2021/dsa-4856Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
https://www.tenable.com/security/tns-2021-14Third Party Advisory

FAQ

What is CVE-2021-21702?

CVE-2021-21702 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a respon...

How severe is CVE-2021-21702?

CVE-2021-21702 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-21702?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Debian Debian Linux, Netapp Clustered Data Ontap, Oracle Communications Diameter Signaling Router.