{"id":"CVE-2020-7071","details":"In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.","aliases":["BIT-libphp-2020-7071","BIT-php-2020-7071","BIT-php-min-2020-7071"],"modified":"2026-04-16T04:38:40.171865919Z","published":"2021-02-15T04:15:12.563Z","related":["ALSA-2021:4213","SUSE-SU-2021:0124-1","SUSE-SU-2021:0125-1","SUSE-SU-2021:0126-1","SUSE-SU-2022:4067-1","SUSE-SU-2022:4068-1","SUSE-SU-2022:4069-1","openSUSE-SU-2021:0101-1","openSUSE-SU-2021:0106-1"],"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00008.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202105-23"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210312-0005/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4856"},{"type":"ADVISORY","url":"https://www.tenable.com/security/tns-2021-14"},{"type":"REPORT","url":"https://bugs.php.net/bug.php?id=77423"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"52ace952a1b65ca80fc2617f11c2fa6dd03f51bd"},{"fixed":"d4f5aed22193106271510efd643ba8f349b7d85f"},{"introduced":"3c7824e16ec4c3cee417262445d2c2b66531c10f"},{"fixed":"8e9d39f15c04a806c5a481d53f384955f9dec718"},{"introduced":"5dc92c2117cafc61daaaaa240fd46c3ac33872a4"},{"fixed":"94d96b3c979a60e47abe209506c3947a16abff40"}],"database_specific":{"versions":[{"introduced":"7.3.0"},{"fixed":"7.3.26"},{"introduced":"7.4.0"},{"fixed":"7.4.14"},{"introduced":"8.0.0"},{"fixed":"8.0.1"}]}}],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"vanir_signatures":[{"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["227590726783538602739410841003471904793","66680938880302284338338960787911270257","171183897526155539642673019964330521437","148221363525494540717156201398603599226","14027080294252728254363174975924474113","76883004995448503163927027256011056830","64543593176252355754339515403925011044","12108129512617529725365468371233867917","100947579209271428937666099495064218656","101484631618889424068088575429425243002","283402044833093694227510714613320421908"]},"id":"CVE-2020-7071-bd47661d","target":{"file":"ext/standard/url.c"},"source":"https://github.com/php/php-src/commit/d4f5aed22193106271510efd643ba8f349b7d85f","deprecated":false},{"target":{"function":"php_url_parse_ex2","file":"ext/standard/url.c"},"signature_version":"v1","source":"https://github.com/php/php-src/commit/d4f5aed22193106271510efd643ba8f349b7d85f","id":"CVE-2020-7071-fe94b820","signature_type":"Function","digest":{"function_hash":"104833949699379374291448524444507709786","length":4481},"deprecated":false}],"vanir_signatures_modified":"2026-04-11T13:53:25Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-7071.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}