Nextcloud: Suspicious login app ships old league/flysystem version

Summary:

The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a race condition. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Flysystem: 0.1.0 - 2.1.0

https://github.com/nextcloud/suspicious_login/

<?php
namespace League\Flysystem;
use RuntimeException;
final class CorruptedPathDetected extends RuntimeException implements FilesystemException
{
    public static function forPath(string $path): CorruptedPathDetected
    {
        return new CorruptedPathDetected("Corrupted path detected: " . $path);
    }
}

   {
        $path = str_replace('\\', '/', $path);
        $path = $this->removeFunkyWhiteSpace($path);
        $this->rejectFunkyWhiteSpace($path);

Supporting References:
The unicode whitespace removal has been replaced with a rejection (exception).
The library has been patched in:

• 1.x: thephpleague/flysystem@f3ad691
• 2.x: thephpleague/flysystem@a3c694d

CVE-2021-32708
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
GHSA-9f46-5r25-5wfm

Impact

The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely.

The conditions:

• A user is allowed to supply the path or filename of an uploaded file.
• The supplied path or filename is not checked against unicode chars.
• The supplied pathname checked against an extension deny-list, not an allow-list.
• The supplied path or filename contains a unicode whitespace char in the extension.
• The uploaded file is stored in a directory that allows PHP code to be executed.

Given these conditions are met a user can upload and execute arbitrary code on the system under attack.