CVE-2020-7071
FILTER_VALIDATE_URL accepts URLs with invalid userinfoIn PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.
We have discovered 385,065 live websites that are affected by CVE-2020-7071.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Domains | 385,065 live websites (4.97% of PHP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 41 versions ( 8.20% of all versions) |
Common Weakness Enumeration
CWE-20 Improper Input ValidationDetails
- Published - Feb 15, 2021
- Updated - Sep 16, 2024
Credits
- Reported by jifan dot jf at alibaba-inc dot com
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2020-7071 United States | 151,936 websites |
 France | 139,019 websites |
 Russia | 8,665 websites |
 Germany | 7,945 websites |
 Canada | 7,208 websites |
 China | 6,367 websites |
 Poland | 6,117 websites |
 Japan | 5,782 websites |
 Italy | 4,994 websites |
 Spain | 4,958 websites |
Website Distribution by TLD
Number of websites using CVE-2020-7071| .com | 201,661 websites |
| .fr | 58,026 websites |
| .org | 21,771 websites |
| .net | 11,689 websites |
| .ru | 7,201 websites |
| .be | 6,953 websites |
| .pl | 5,899 websites |
| .it | 5,163 websites |
| .de | 4,796 websites |
| .ca | 4,605 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2020-7071
Top websites that are affected by CVE-2020-7071. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.pl | Poland | *,*** | |
| ******.com | France | *,*** | |
| **********.com | France | *,*** | |
| *********.ua |  Ukraine | *,*** | |
| ******.com | France | *,*** | |
| *********.com | United States | *,*** | |
| **********.com |  Sweden | **,*** | |
| *********.be | France | **,*** | |
| **************.com | United States | **,*** | |
| ***********************.com | United States | **,*** |
FAQ
CVE-2020-7071 is Improper Input Validation in PHP
A total of 385,065 websites have been identified as vulnerable to CVE-2020-7071, based on global website indexing conducted by WebTechSurvey.
The PHP is affected by the CVE-2020-7071 vulnerability.
PHP versions up to 8.0.1 are vulnerable to CVE-2020-7071.
CVE-2020-7071 is resolved in version 8.0.1 of PHP.
References
- https://bugs.php.net/bug.php?id=77423
- https://www.debian.org/security/2021/dsa-4856
- https://security.gentoo.org/glsa/202105-23
- https://lists.debian.org/debian-lts-announce/2021/07/msg00008.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.tenable.com/security/tns-2021-14
- https://security.netapp.com/advisory/ntap-20210312-0005/