The phpinfo()
can be exposed if the /vendor
is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule (.htaccess, etc).
Only the v6, v7 and v8 will be patched respectively in 8.0.7, 7.1.2, 6.1.5.
Older versions such as v5, v4 are not longer supported and will NOT be patched.
Protect the /vendor
directory from public access.
The first issue revealing this vulnerability is located here: https://github.com/flextype/flextype/issues/567
V6 fix: https://github.com/PHPSocialNetwork/phpfastcache/pull/815
V7 fix: https://github.com/PHPSocialNetwork/phpfastcache/pull/814
V8 fix: https://github.com/PHPSocialNetwork/phpfastcache/pull/813
If you have any questions or comments about this advisory:
github.com/flextype/flextype/issues/567
github.com/PHPSocialNetwork/phpfastcache/blob/master/CHANGELOG.md#807
github.com/PHPSocialNetwork/phpfastcache/commit/41a77d0d8f126dbd6fbedcd9e6a82e86cdaafa51
github.com/PHPSocialNetwork/phpfastcache/pull/813
github.com/PHPSocialNetwork/phpfastcache/pull/814
github.com/PHPSocialNetwork/phpfastcache/pull/815
github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh5-p6r6-g2qc
nvd.nist.gov/vuln/detail/CVE-2021-37704
packagist.org/packages/phpfastcache/phpfastcache