CVE-2021-37704

PhpFastCache is a high-performance backend cache system (packagist package phpfastcache/phpfastcache). In versions before 6.1.5, 7.1.2, and 8.0.7 the `phpinfo()` can be exposed if the `/vendor` is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule (.htaccess, etc). Only the v6, v7 and v8 will be patched respectively in 8.0.7, 7.1.2, 6.1.5. Older versions such as v5, v4 are not longer supported and will **NOT** be patched. As a workaround, protect the `/vendor` directory from public access.

CVSS v3.0 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh5-p6r6-g2qc	Third Party Advisory
https://packagist.org/packages/phpfastcache/phpfastcache	Product Third Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/blob/master/CHANGELOG.md#807	Release Notes Third Party Advisory
https://github.com/flextype/flextype/issues/567	Exploit Issue Tracking Third Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/commit/41a77d0d8f126dbd6fbedcd9e6a82e86cdaafa51	Patch Third Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/pull/813	Patch Third Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/pull/814	Third Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/pull/815	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:phpfastcache:phpfastcache::::::::
	cpe:2.3:a:phpfastcache:phpfastcache::::::::
	cpe:2.3:a:phpfastcache:phpfastcache::::::::

Information

Published : 2021-08-12 13:15

Updated : 2022-10-27 05:41

NVD link : CVE-2021-37704

Mitre link : CVE-2021-37704

JSON object : View

CWE

CWE-668

Exposure of Resource to Wrong Sphere

Products Affected

phpfastcache

phpfastcache

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh5-p6r6-g2qc", "name": "https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh5-p6r6-g2qc", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://packagist.org/packages/phpfastcache/phpfastcache", "name": "https://packagist.org/packages/phpfastcache/phpfastcache", "tags": ["Product", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/PHPSocialNetwork/phpfastcache/blob/master/CHANGELOG.md#807", "name": "https://github.com/PHPSocialNetwork/phpfastcache/blob/master/CHANGELOG.md#807", "tags": ["Release Notes", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/flextype/flextype/issues/567", "name": "https://github.com/flextype/flextype/issues/567", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/PHPSocialNetwork/phpfastcache/commit/41a77d0d8f126dbd6fbedcd9e6a82e86cdaafa51", "name": "https://github.com/PHPSocialNetwork/phpfastcache/commit/41a77d0d8f126dbd6fbedcd9e6a82e86cdaafa51", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/PHPSocialNetwork/phpfastcache/pull/813", "name": "https://github.com/PHPSocialNetwork/phpfastcache/pull/813", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/PHPSocialNetwork/phpfastcache/pull/814", "name": "https://github.com/PHPSocialNetwork/phpfastcache/pull/814", "tags": ["Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/PHPSocialNetwork/phpfastcache/pull/815", "name": "https://github.com/PHPSocialNetwork/phpfastcache/pull/815", "tags": ["Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "PhpFastCache is a high-performance backend cache system (packagist package phpfastcache/phpfastcache). In versions before 6.1.5, 7.1.2, and 8.0.7 the `phpinfo()` can be exposed if the `/vendor` is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule (.htaccess, etc). Only the v6, v7 and v8 will be patched respectively in 8.0.7, 7.1.2, 6.1.5. Older versions such as v5, v4 are not longer supported and will **NOT** be patched. As a workaround, protect the `/vendor` directory from public access."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-668"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-37704", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}}, "publishedDate": "2021-08-12T20:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:phpfastcache:phpfastcache:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "8.0.7", "versionStartIncluding": "8.0.0"}, {"cpe23Uri": "cpe:2.3:a:phpfastcache:phpfastcache:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "7.1.2", "versionStartIncluding": "7.0.0"}, {"cpe23Uri": "cpe:2.3:a:phpfastcache:phpfastcache:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "6.1.5"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-10-27T12:41Z"}

4.3 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2021-37704

4.3^/10

4.0^/10

Attach tags to `CVE-2021-37704`