CVE-2021-21703
PHP-FPM memory access in root process leading to privilege escalationIn PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.
We have discovered 414,579 live websites that are affected by CVE-2021-21703.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Domains | 414,579 live websites (5.43% of PHP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 67 versions ( 13% of all versions) |
Common Weakness Enumeration
CWE-787 Out-of-bounds WriteDetails
- Published - Oct 25, 2021
- Updated - Sep 17, 2024
Credits
- Reported by Charles Fol
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2021-21703 United States | 135,982 websites |
 France | 138,396 websites |
 Russia | 20,897 websites |
 Germany | 13,087 websites |
 Japan | 9,369 websites |
 China | 8,592 websites |
 Brazil | 7,259 websites |
 Spain | 6,656 websites |
 Poland | 6,538 websites |
 Italy | 6,296 websites |
Website Distribution by TLD
Number of websites using CVE-2021-21703| .com | 194,945 websites |
| .fr | 57,620 websites |
| .org | 21,003 websites |
| .ru | 16,921 websites |
| .net | 12,563 websites |
| .de | 7,977 websites |
| .be | 7,045 websites |
| .pl | 6,262 websites |
| .it | 6,187 websites |
| .com.br | 6,156 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2021-21703
Top websites that are affected by CVE-2021-21703. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.pl | Poland | *,*** | |
| ****.org |  GB | *,*** | |
| **********.org | United States | *,*** | |
| ******.com | France | *,*** | |
| **********.com | France | *,*** | |
| *******.pro | Russia | *,*** | |
| *********.ua |  Ukraine | *,*** | |
| ******.at |  Austria | *,*** | |
| ******.com | France | *,*** | |
| *********.com | United States | *,*** |
FAQ
CVE-2021-21703 is Out-of-bounds Write in PHP
A total of 414,579 websites have been identified as vulnerable to CVE-2021-21703, based on global website indexing conducted by WebTechSurvey.
The PHP is affected by the CVE-2021-21703 vulnerability.
PHP versions up to 8.0.12 are vulnerable to CVE-2021-21703.
CVE-2021-21703 is resolved in version 8.0.12 of PHP.
References
- https://bugs.php.net/bug.php?id=81026
- https://www.debian.org/security/2021/dsa-4992
- https://www.debian.org/security/2021/dsa-4993
- http://www.openwall.com/lists/oss-security/2021/10/26/7
- https://lists.debian.org/debian-lts-announce/2021/10/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JO5RA6YOBGGGKLIA6F6BQRZDDECF5L3R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PBM3KKB3RY2YPOKNMC4HIH7IH3T3WC74/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PZVLICZUJMXOGWOUWSBAEGIVTF6Y6V3/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://security.netapp.com/advisory/ntap-20211118-0003/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://security.gentoo.org/glsa/202209-20