#VU50403 NULL pointer dereference in PHP - CVE-2021-21702

Cybersecurity Help s.r.o.

Published: 2021-02-07 | Updated: 2023-10-27

Vulnerability identifier: #VU50403

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-21702

CWE-ID: CWE-476

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the SoapClient in PHP. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PHP: 7.3.0alpha1 - 7.3.26, 7.4.0 - 7.4.14, 8.0.0 - 8.0.1

External links
https://www.php.net/ChangeLog-8.php
https://bugs.php.net/80672
https://www.php.net/ChangeLog-7.php

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Juniper Junos OS J-Web update for PHP

SUSE update for php7

SUSE update for php74

Multiple vulnerabilities in Zimbra Collaboration

Red Hat Enterprise Linux 8 update for the php:7.4 module

HPE HP-UX Web Server Suite Software update for HP-UX PHP

Red Hat Software Collections update for rh-php73-php

Multiple vulnerabilities in Tenable.sc

Ubuntu update for php5

Ubuntu update for php7.2