8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.007 Low
EPSS
Percentile
80.1%
Flysystem is an open source file storage library for PHP. The whitespace
normalisation using in 1.x and 2.x removes any unicode whitespace. Under
certain specific conditions this could potentially allow a malicious user
to execute code remotely. The conditions are: A user is allowed to supply
the path or filename of an uploaded file, the supplied path or filename is
not checked against unicode chars, the supplied pathname checked against an
extension deny-list, not an allow-list, the supplied path or filename
contains a unicode whitespace char in the extension, the uploaded file is
stored in a directory that allows PHP code to be executed. Given these
conditions are met a user can upload and execute arbitrary code on the
system under attack. The unicode whitespace removal has been replaced with
a rejection (exception). For 1.x users, upgrade to 1.1.4. For 2.x users,
upgrade to 2.1.1.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.04 | noarch | php-league-flysystem | < any | UNKNOWN |
ubuntu | 23.10 | noarch | php-league-flysystem | < any | UNKNOWN |
ubuntu | 16.04 | noarch | php-league-flysystem | < any | UNKNOWN |
github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74
github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32
github.com/thephpleague/flysystem/security/advisories/GHSA-9f46-5r25-5wfm
launchpad.net/bugs/cve/CVE-2021-32708
nvd.nist.gov/vuln/detail/CVE-2021-32708
packagist.org/packages/league/flysystem
security-tracker.debian.org/tracker/CVE-2021-32708
www.cve.org/CVERecord?id=CVE-2021-32708
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.007 Low
EPSS
Percentile
80.1%