CVE-2021-32708 – league/flysystem

Package

Manager: composer
Name: league/flysystem
Vulnerable Version: >=0 <1.1.4 || >=2.0.0 <2.1.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.07302 pctl0.91295

Details

Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem ### Impact The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions: - A user is allowed to supply the path or filename of an uploaded file. - The supplied path or filename is not checked against unicode chars. - The supplied pathname checked against an extension deny-list, not an allow-list. - The supplied path or filename contains a unicode whitespace char in the extension. - The uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. ### Patches The unicode whitespace removal has been replaced with a rejection (exception). The library has been patched in: - 1.x: https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32 - 2.x: https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74 ### Workarounds For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.

Metadata

Created: 2021-06-29T03:13:28Z
Modified: 2021-09-21T14:55:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-9f46-5r25-5wfm/GHSA-9f46-5r25-5wfm.json
CWE IDs: ["CWE-367"]
Alternative ID: GHSA-9f46-5r25-5wfm
Finding: F124
Auto approve: 1