CVE-2021-21702

In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash.

Weakness

The product dereferences a pointer that it expects to be valid but is NULL.

Affected Software

Name	Vendor	Start Version	End Version
Php	Php	7.3.0 (including)	7.3.27 (excluding)
Php	Php	7.4.0 (including)	7.4.15 (excluding)
Php	Php	8.0.0 (including)	8.0.2 (excluding)
Red Hat Enterprise Linux 8	RedHat	php:7.4-8050020210526053050.3e6e7e84	*
Red Hat Software Collections for Red Hat Enterprise Linux 7	RedHat	rh-php73-php-0:7.3.29-1.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS	RedHat	rh-php73-php-0:7.3.29-1.el7	*
Php5	Ubuntu	esm-infra-legacy/trusty	*
Php5	Ubuntu	precise/esm	*
Php5	Ubuntu	trusty	*
Php5	Ubuntu	trusty/esm	*
Php7.0	Ubuntu	esm-infra/xenial	*
Php7.0	Ubuntu	xenial	*
Php7.2	Ubuntu	bionic	*
Php7.2	Ubuntu	esm-infra/bionic	*
Php7.4	Ubuntu	esm-infra/focal	*
Php7.4	Ubuntu	focal	*
Php7.4	Ubuntu	groovy	*
Php7.4	Ubuntu	upstream	*
Php8.0	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-21702
CWE	https://cwe.mitre.org/data/definitions/476.html

NULL Pointer Dereference

Weakness

Affected Software

Potential Mitigations

References