8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.007 Low
EPSS
Percentile
80.2%
The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely.
The conditions:
Given these conditions are met a user can upload and execute arbitrary code on the system under attack.
The unicode whitespace removal has been replaced with a rejection (exception).
The library has been patched in:
For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.
github.com/FriendsOfPHP/security-advisories/blob/master/league/flysystem/CVE-2021-32708.yaml
github.com/thephpleague/flysystem
github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74
github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32
github.com/thephpleague/flysystem/security/advisories/GHSA-9f46-5r25-5wfm
lists.fedoraproject.org/archives/list/[email protected]/message/NWPTENBYKI2IG47GI4DHAACLNRLTWUR5
lists.fedoraproject.org/archives/list/[email protected]/message/RNZSWK4GOMJOOHKLZEOE5AQSLC4DNCRZ
nvd.nist.gov/vuln/detail/CVE-2021-32708
packagist.org/packages/league/flysystem
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.007 Low
EPSS
Percentile
80.2%