CWE
362 367
Advisory Published
CVE Published
Updated

CVE-2021-32708: Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem

First published: Thu Jun 24 2021(Updated: )

### Impact The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions: - A user is allowed to supply the path or filename of an uploaded file. - The supplied path or filename is not checked against unicode chars. - The supplied pathname checked against an extension deny-list, not an allow-list. - The supplied path or filename contains a unicode whitespace char in the extension. - The uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. ### Patches The unicode whitespace removal has been replaced with a rejection (exception). The library has been patched in: - 1.x: https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32 - 2.x: https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74 ### Workarounds For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
composer/league/flysystem<1.1.4>=2.0.0<2.1.1
Thephpleague Flysystem>=1.0.0<1.1.4
Thephpleague Flysystem>=2.0.0<2.1.1
Fedoraproject Fedora=33
Fedoraproject Fedora=34
composer/league/flysystem>=2.0.0<2.1.1
2.1.1
composer/league/flysystem<1.1.4
1.1.4

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2021-32708?

    CVE-2021-32708 is a vulnerability in Flysystem, an open source file storage library for PHP, that enables a Time-of-Check Time-of-Use (TOCTOU) race condition, leading to potential remote code execution.

  • What is the severity of CVE-2021-32708?

    The severity of CVE-2021-32708 is critical, with a CVSS v3.1 base score of 8.1.

  • Which software versions are affected by CVE-2021-32708?

    Versions 1.0.0 up to but excluding 1.1.4, and versions 2.0.0 up to but excluding 2.1.1 of Flysystem are affected by CVE-2021-32708.

  • How can CVE-2021-32708 be exploited?

    CVE-2021-32708 can be exploited by a malicious user under specific conditions, allowing them to execute code remotely.

  • Is there a fix for CVE-2021-32708?

    Yes, a fix for CVE-2021-32708 is available. It is recommended to update Flysystem to a version that is not vulnerable.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203