Vulnerability DatabaseCVE-2021-32708
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2021-32708
June 24, 2021
Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. The unicode whitespace removal has been replaced with a rejection (exception). For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.
Affected Packages
https://github.com/thephpleague/flysystem.git (GITHUB):
Affected version(s) >=1.1.0 <1.1.4
Fix Suggestion:
Update to version 1.1.4
https://github.com/thephpleague/flysystem.git (GITHUB):
Affected version(s) >=2.0.0 <2.1.1
Fix Suggestion:
Update to version 2.1.1
league/flysystem (PHP):
Affected version(s) >=0.1.0 <1.1.4
Fix Suggestion:
Update to version 1.1.4
league/flysystem (PHP):
Affected version(s) >=2.0.0 <2.1.1
Fix Suggestion:
Update to version 2.1.1
league/flysystem (PHP):
Affected version(s) >=dev-bugfix/aws-s3-v3-291 <1.1.4
Fix Suggestion:
Update to version 1.1.4
Related Resources (11)
https://github.com/FriendsOfPHP/security-advisories/blob/master/league/flysystem/CVE-2021-32708.yaml
https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32
https://github.com/thephpleague/flysystem
https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74
https://nvd.nist.gov/vuln/detail/CVE-2021-32708
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWPTENBYKI2IG47GI4DHAACLNRLTWUR5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNZSWK4GOMJOOHKLZEOE5AQSLC4DNCRZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWPTENBYKI2IG47GI4DHAACLNRLTWUR5
https://packagist.org/packages/league/flysystem
https://github.com/thephpleague/flysystem/security/advisories/GHSA-9f46-5r25-5wfm
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNZSWK4GOMJOOHKLZEOE5AQSLC4DNCRZ
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
CVSS v2
Base Score:
9.3
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
Weakness Type (CWE)
Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-367
EPSS
Base Score:
7.33