CVE-2021-21707: 
PHP vulnerability analysis and mitigation

CVE-2021-21707 affects PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26, and 8.0.x below 8.0.13. The vulnerability involves certain XML parsing functions, like simplexml_load_file(), which URL-decode the filename passed to them. When the filename contains a URL-encoded NUL character, the function may interpret this as the end of the filename, potentially leading to reading a different file than intended (CVE Mitre).

The vulnerability occurs when XML parsing functions process filenames containing URL-encoded NUL characters (%00). The functions decode these characters, causing them to interpret the NUL byte as a string terminator. This behavior can cause the function to read only the portion of the filename before the NUL character, potentially leading to unintended file access (PHP Bug).

The successful exploitation of this vulnerability could lead to disclosure of sensitive information. The vulnerability has been assigned a CVSS score of 5.3 (MEDIUM) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NetApp Advisory).

The vulnerability has been fixed in PHP versions 7.3.33, 7.4.26, and 8.0.13 and later. Users should upgrade to these or newer versions to address the issue. The fix involves implementing checks for URL-encoded NUL characters in filenames before processing them (Red Hat Advisory).