GitHub_MCVELIST:CVE-2021-37704CVE-2021-37704 Exposed phpinfo() in PhpFastCache
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
0.006 Low
EPSS
Percentile
79.0%
PhpFastCache is a high-performance backend cache system (packagist package phpfastcache/phpfastcache). In versions before 6.1.5, 7.1.2, and 8.0.7 the phpinfo() can be exposed if the /vendor is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule (.htaccess, etc). Only the v6, v7 and v8 will be patched respectively in 8.0.7, 7.1.2, 6.1.5. Older versions such as v5, v4 are not longer supported and will NOT be patched. As a workaround, protect the /vendor directory from public access.
CNA Affected
[
{
"product": "phpfastcache",
"vendor": "PHPSocialNetwork",
"versions": [
{
"status": "affected",
"version": "< 6.1.5"
},
{
"status": "affected",
"version": ">= 7.0.0, < 7.1.2"
},
{
"status": "affected",
"version": ">= 8.0.0, < 8.0.7"
}
]
}
]References
github.com/flextype/flextype/issues/567
github.com/PHPSocialNetwork/phpfastcache/blob/master/CHANGELOG.md#807
github.com/PHPSocialNetwork/phpfastcache/commit/41a77d0d8f126dbd6fbedcd9e6a82e86cdaafa51
github.com/PHPSocialNetwork/phpfastcache/pull/813
github.com/PHPSocialNetwork/phpfastcache/pull/814
github.com/PHPSocialNetwork/phpfastcache/pull/815
github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh5-p6r6-g2qc
packagist.org/packages/phpfastcache/phpfastcache
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
0.006 Low
EPSS
Percentile
79.0%