CVE-2021-32708Time-of-check Time-of-use (TOCTOU) Race Condition in Flysystem

CWE-367Time-of-check Time-of-use (TOCTOU) Race Condition6 documents5 sources
Severity
8.1HIGHNVD
EPSS
7.3%
top 8.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Thephpleague FlysystemLeague FlysystemDebian Php-league-flysystem+1 more
Timeline
PublishedJun 24
Latest updateFeb 8

Description

Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname checked against an extension deny-list, not an allow-list, the supplied pa

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages4 packages

Packagistleague/flysystem2.0.02.1.1+1
CVEListV5thephpleague/flysystem< 1.1.4+1
NVDthephpleague/flysystem1.0.01.1.4+1
debiandebian/php-league-flysystem< php-league-flysystem 1.1.3-4 (bookworm)

Also affects: Fedora 33, 34

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem2021-06-29
GHSA
Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem2021-06-29
OSV
CVE-2021-32708: Flysystem is an open source file storage library for PHP2021-06-24

📋Vendor Advisories

1
Debian
CVE-2021-32708: php-league-flysystem - Flysystem is an open source file storage library for PHP. The whitespace normali...2021

💬Community

1
HackerOne
Suspicious login app ships old league/flysystem version2023-02-08
CVE-2021-32708 — Thephpleague Flysystem vulnerability | cvebase