Search CVE reports
31 – 40 of 243 results
CVE-2021-21706
Negligible priorityIn PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus...
6 affected packages
php5, php7.0, php7.2, php7.4, php8.0, php8.1
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php5 | — | Not in release | Not in release | Not in release | Not in release |
php7.0 | — | Not in release | Not in release | Not in release | Not affected |
php7.2 | — | Not in release | Not in release | Not affected | Not in release |
php7.4 | — | Not in release | Not affected | Not in release | Not in release |
php8.0 | — | Not in release | Not in release | Not in release | Not in release |
php8.1 | — | Not affected | Not in release | Not in release | Not in release |
CVE-2021-40812
Low priorityThe GD Graphics Library (aka LibGD) through 2.3.2 has an out-of-bounds read because of the lack of certain gdGetBuf and gdPutBuf return value checks.
5 affected packages
libgd2, php5, php7.0, php7.2, php7.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
libgd2 | Not affected | Vulnerable | Vulnerable | Vulnerable | Vulnerable |
php5 | Not in release | Not in release | Not in release | Not in release | Not in release |
php7.0 | Not in release | Not in release | Not in release | Not in release | Not affected |
php7.2 | Not in release | Not in release | Not in release | Not affected | Not in release |
php7.3 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2021-40145
Medium priority** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE: the vendor's position is "The GD2 image format is a proprietary image format of libgd. It has to be regarded as...
5 affected packages
libgd2, php5, php7.0, php7.2, php7.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
libgd2 | — | Fixed | Fixed | Fixed | Fixed |
php5 | — | Not in release | Not in release | Not in release | Not in release |
php7.0 | — | Not in release | Not in release | Not in release | Not affected |
php7.2 | — | Not in release | Not in release | Not affected | Not in release |
php7.3 | — | Not in release | Not in release | Not in release | Not in release |
CVE-2021-38115
Low priorityread_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file.
5 affected packages
libgd2, php5, php7.0, php7.2, php7.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
libgd2 | — | Fixed | Fixed | Fixed | Fixed |
php5 | — | Not in release | Not in release | Not in release | Not in release |
php7.0 | — | Not in release | Not in release | Not in release | Not affected |
php7.2 | — | Not in release | Not in release | Not affected | Not in release |
php7.3 | — | Not in release | Not in release | Not in release | Not in release |
CVE-2021-21705
Medium priorityIn PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted...
6 affected packages
php5, php7.0, php7.2, php7.4, php8.0, php8.1
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php5 | — | Not in release | Not in release | Not in release | Not in release |
php7.0 | — | Not in release | Not in release | Not in release | Fixed |
php7.2 | — | Not in release | Not in release | Fixed | Not in release |
php7.4 | — | Not in release | Fixed | Not in release | Not in release |
php8.0 | — | Not in release | Not in release | Not in release | Not in release |
php8.1 | — | Not affected | Not in release | Not in release | Not in release |
CVE-2021-21704
Medium priorityIn PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(),...
6 affected packages
php5, php7.0, php7.2, php7.4, php8.0, php8.1
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php5 | — | Not in release | Not in release | Not in release | Not in release |
php7.0 | — | Not in release | Not in release | Not in release | Fixed |
php7.2 | — | Not in release | Not in release | Fixed | Not in release |
php7.4 | — | Not in release | Fixed | Not in release | Not in release |
php8.0 | — | Not in release | Not in release | Not in release | Not in release |
php8.1 | — | Not affected | Not in release | Not in release | Not in release |
CVE-2021-21702
Low priorityIn PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to...
6 affected packages
php5, php7.0, php7.2, php7.4, php8.0, php8.1
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php5 | — | Not in release | Not in release | Not in release | Not in release |
php7.0 | — | Not in release | Not in release | Not in release | Fixed |
php7.2 | — | Not in release | Not in release | Fixed | Not in release |
php7.4 | — | Not in release | Fixed | Not in release | Not in release |
php8.0 | — | Not in release | Not in release | Not in release | Not in release |
php8.1 | — | Not affected | Not in release | Not in release | Not in release |
CVE-2020-7071
Low priorityIn PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions...
6 affected packages
php5, php7.0, php7.2, php7.4, php8.0, php8.1
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php5 | — | Not in release | Not in release | Not in release | Not in release |
php7.0 | — | Not in release | Not in release | Not in release | Fixed |
php7.2 | — | Not in release | Not in release | Fixed | Not in release |
php7.4 | — | Not in release | Fixed | Not in release | Not in release |
php8.0 | — | Not in release | Not in release | Not in release | Not in release |
php8.1 | — | Not affected | Not in release | Not in release | Not in release |
CVE-2020-7070
Medium priorityIn PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with...
4 affected packages
php5, php7.0, php7.2, php7.4
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php5 | — | — | Not in release | Not in release | Not in release |
php7.0 | — | — | Not in release | Not in release | Fixed |
php7.2 | — | — | Not in release | Fixed | Not in release |
php7.4 | — | — | Fixed | Not in release | Not in release |
CVE-2020-7069
Medium priorityIn PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both...
4 affected packages
php5, php7.0, php7.2, php7.4
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php5 | — | — | Not in release | Not in release | Not in release |
php7.0 | — | — | Not in release | Not in release | Not affected |
php7.2 | — | — | Not in release | Fixed | Not in release |
php7.4 | — | — | Fixed | Not in release | Not in release |