First published: Thu Jun 24 2021(Updated: )
### Impact The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions: - A user is allowed to supply the path or filename of an uploaded file. - The supplied path or filename is not checked against unicode chars. - The supplied pathname checked against an extension deny-list, not an allow-list. - The supplied path or filename contains a unicode whitespace char in the extension. - The uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. ### Patches The unicode whitespace removal has been replaced with a rejection (exception). The library has been patched in: - 1.x: https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32 - 2.x: https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74 ### Workarounds For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
composer/league/flysystem | <1.1.4>=2.0.0<2.1.1 | |
Thephpleague Flysystem | >=1.0.0<1.1.4 | |
Thephpleague Flysystem | >=2.0.0<2.1.1 | |
Fedoraproject Fedora | =33 | |
Fedoraproject Fedora | =34 | |
composer/league/flysystem | >=2.0.0<2.1.1 | 2.1.1 |
composer/league/flysystem | <1.1.4 | 1.1.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-32708 is a vulnerability in Flysystem, an open source file storage library for PHP, that enables a Time-of-Check Time-of-Use (TOCTOU) race condition, leading to potential remote code execution.
The severity of CVE-2021-32708 is critical, with a CVSS v3.1 base score of 8.1.
Versions 1.0.0 up to but excluding 1.1.4, and versions 2.0.0 up to but excluding 2.1.1 of Flysystem are affected by CVE-2021-32708.
CVE-2021-32708 can be exploited by a malicious user under specific conditions, allowing them to execute code remotely.
Yes, a fix for CVE-2021-32708 is available. It is recommended to update Flysystem to a version that is not vulnerable.