Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2021-32708

Опубликовано: 24 июн. 2021
Источник: nvd
CVSS3: 9.8
CVSS3: 8.1
CVSS2: 9.3
EPSS Низкий

Описание

Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. The unicode whitespace removal has been replaced with a rejection (exception). For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:thephpleague:flysystem:*:*:*:*:*:*:*:*
Версия от 1.0.0 (включая) до 1.1.4 (исключая)
cpe:2.3:a:thephpleague:flysystem:*:*:*:*:*:*:*:*
Версия от 2.0.0 (включая) до 2.1.1 (исключая)
Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

EPSS

Процентиль: 91%
0.07327
Низкий

9.8 Critical

CVSS3

8.1 High

CVSS3

9.3 Critical

CVSS2

Дефекты

CWE-367
CWE-367

Связанные уязвимости

ubuntu логотип

CVE-2021-32708

CVSS3: 9.8
ubuntu
больше 4 лет назад

Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. The unicode whitespace removal has been replaced with a rejection (exception). For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.

debian логотип

CVE-2021-32708

CVSS3: 9.8
debian
больше 4 лет назад

Flysystem is an open source file storage library for PHP. The whitespa ...

github логотип

GHSA-9f46-5r25-5wfm

CVSS3: 9.8
github
больше 4 лет назад

Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem

fstec логотип

BDU:2021-03326

CVSS3: 9.8
fstec
больше 4 лет назад

Уязвимость библиотеки Flysystem, вызванная ситуацией гонки, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 91%
0.07327
Низкий

9.8 Critical

CVSS3

8.1 High

CVSS3

9.3 Critical

CVSS2

Дефекты

CWE-367
CWE-367