Vulners
Lucene search
Linux Distros Unpatched Vulnerability : CVE-2021-32708
| Reporter | Title | Published | Views | Family All 23 |
|---|---|---|---|---|
 | Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Thephpleague Flysystem | 19 Oct 202412:49 | – | githubexploit |
 | CVE-2021-32708 | 24 Jun 202120:18 | – | circl |
 | thephpleague flysystem 代码注入漏洞 | 24 Jun 202100:00 | – | cnnvd |
 | CVE-2021-32708 | 24 Jun 202116:30 | – | cve |
 | CVE-2021-32708 Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem | 24 Jun 202116:30 | – | cvelist |
 | CVE-2021-32708 | 24 Jun 202116:30 | – | debiancve |
 | EUVD-2021-1300 | 7 Oct 202500:30 | – | euvd |
 | [SECURITY] Fedora 33 Update: php-league-flysystem-1.1.4-1.fc33 | 4 Jul 202101:09 | – | fedora |
| [SECURITY] Fedora 34 Update: php-league-flysystem-1.1.4-1.fc34 | 4 Jul 202101:08 | – | fedora |
 | TOCTOU Race Condition enabling remote code execution | 23 Jun 202123:56 | – | friendsofphp |
10
| Source | Link |
|---|---|
| ubuntu | www.ubuntu.com/security/CVE-2021-32708 |
| cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(257279);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/21");
script_cve_id("CVE-2021-32708");
script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2021-32708");
script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.
- Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and
2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a
malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or
filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the
supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename
contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that
allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary
code on the system under attack. The unicode whitespace removal has been replaced with a rejection
(exception). For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1. (CVE-2021-32708)
Note that Nessus relies on the presence of the package as reported by the vendor.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2021-32708");
script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
script_set_attribute(attribute:"agent", value:"unix");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-32708");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/06/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2025/08/27");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:24.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.04");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.10");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php-league-flysystem");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
script_require_ports("Host/OS/Ubuntu Linux-16.04", "Host/OS/Ubuntu Linux-22.04", "Host/OS/Ubuntu Linux-24.04", "Host/OS/Ubuntu Linux-25.04", "Host/OS/Ubuntu Linux-25.10");
exit(0);
}
if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);
include('linux_unpatched.inc');
var distro_constraints_array = {
"Ubuntu Linux-16.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "16.04",
"pkgs": [
{"reference": "php-league-flysystem"}
]
}
]
},
"Ubuntu Linux-22.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "22.04",
"pkgs": [
{"reference": "php-league-flysystem"}
]
}
]
},
"Ubuntu Linux-24.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "24.04",
"pkgs": [
{"reference": "php-league-flysystem"}
]
}
]
},
"Ubuntu Linux-25.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "25.04",
"pkgs": [
{"reference": "php-league-flysystem"}
]
}
]
},
"Ubuntu Linux-25.10": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "25.10",
"pkgs": [
{"reference": "php-league-flysystem"}
]
}
]
}
};
var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);
if (!empty_or_null(report))
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : report
);
exit(0);
}
else
{
audit(AUDIT_HOST_NOT, 'affected');
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 May 2026 00:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.18.1 - 9.8
CVSS 29.3
EPSS0.07327