CVE-2021-37704
MEDIUM5.4EPSS 47.8%Exposed phpinfo() leadked via documentation files
Description
### Impact The `phpinfo()` can be exposed if the `/vendor` is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule (.htaccess, etc). ### Patches Only the v6, v7 and v8 will be patched respectively in 8.0.7, 7.1.2, 6.1.5. Older versions such as v5, v4 are not longer supported and will **NOT** be patched. ### Workarounds Protect the `/vendor` directory from public access. ### References The first issue revealing this vulnerability is located here: https://github.com/flextype/flextype/issues/567 V6 fix: https://github.com/PHPSocialNetwork/phpfastcache/pull/815 V7 fix: https://github.com/PHPSocialNetwork/phpfastcache/pull/814 V8 fix: https://github.com/PHPSocialNetwork/phpfastcache/pull/813 ### For more information If you have any questions or comments about this advisory: * Open an issue in [our issue tracker](https://github.com/PHPSocialNetwork/phpfastcache/issues) * Email us at [[email protected]](mailto:[email protected])
Affected packages (1)
- Packagist/phpfastcache/phpfastcachefrom 0, < 6.1.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-37704
- WEBhttps://github.com/flextype/flextype/issues/567
- WEBhttps://github.com/PHPSocialNetwork/phpfastcache/blob/master/CHANGELOG.md#807
- WEBhttps://github.com/PHPSocialNetwork/phpfastcache/commit/41a77d0d8f126dbd6fbedcd9e6a82e86cdaafa51
- WEBhttps://github.com/PHPSocialNetwork/phpfastcache/pull/813
- WEBhttps://github.com/PHPSocialNetwork/phpfastcache/pull/814
- WEBhttps://github.com/PHPSocialNetwork/phpfastcache/pull/815
- WEBhttps://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh5-p6r6-g2qc
- WEBhttps://packagist.org/packages/phpfastcache/phpfastcache