CVE-2021-37704
CVSS V2 Medium 4
CVSS V3 Medium 4.3
Description
PhpFastCache is a high-performance backend cache system (packagist package phpfastcache/phpfastcache). In versions before 6.1.5, 7.1.2, and 8.0.7 the `phpinfo()` can be exposed if the `/vendor` is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule (.htaccess, etc). Only the v6, v7 and v8 will be patched respectively in 8.0.7, 7.1.2, 6.1.5. Older versions such as v5, v4 are not longer supported and will **NOT** be patched. As a workaround, protect the `/vendor` directory from public access.
Overview
- CVE ID
- CVE-2021-37704
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2021-08-12T20:15:07
- Last Modified Date
- 2022-10-27T12:41:42
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:phpfastcache:phpfastcache:*:*:*:*:*:*:*:* | 1 | OR | 6.1.5 | |
| cpe:2.3:a:phpfastcache:phpfastcache:*:*:*:*:*:*:*:* | 1 | OR | 7.0.0 | 7.1.2 |
| cpe:2.3:a:phpfastcache:phpfastcache:*:*:*:*:*:*:*:* | 1 | OR | 8.0.0 | 8.0.7 |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:L/Au:S/C:P/I:N/A:N
- Access Vector
- NETWORK
- Access Compatibility
- LOW
- Authentication
- SINGLE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- NONE
- Availability Impact
- NONE
- Base Score
- 4
- Severity
- MEDIUM
- Exploitability Score
- 8
- Impact Score
- 2.9
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- LOW
- Availability Impact
- NONE
- Base Score
- 4.3
- Base Severity
- MEDIUM
- Exploitability Score
- 2.8
- Impact Score
- 1.4
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh5-p6r6-g2qc | Third Party Advisory |
| https://packagist.org/packages/phpfastcache/phpfastcache | Product Third Party Advisory |
| https://github.com/PHPSocialNetwork/phpfastcache/blob/master/CHANGELOG.md#807 | Release Notes Third Party Advisory |
| https://github.com/flextype/flextype/issues/567 | Exploit Issue Tracking Third Party Advisory |
| https://github.com/PHPSocialNetwork/phpfastcache/commit/41a77d0d8f126dbd6fbedcd9e6a82e86cdaafa51 | Patch Third Party Advisory |
| https://github.com/PHPSocialNetwork/phpfastcache/pull/813 | Patch Third Party Advisory |
| https://github.com/PHPSocialNetwork/phpfastcache/pull/814 | Third Party Advisory |
| https://github.com/PHPSocialNetwork/phpfastcache/pull/815 | Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2021-37704 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37704 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 06:56:26 | Added to TrackCVE | |||
| 2022-12-05 08:06:52 | 2021-08-12T20:15Z | 2021-08-12T20:15:07 | CVE Published Date | updated |
| 2022-12-05 08:06:52 | 2022-10-27T12:41:42 | CVE Modified Date | updated | |
| 2022-12-05 08:06:52 | Analyzed | Vulnerability Status | updated |