CVE-2021-37704

Exploit

EPSS 6.13%
Veröffentlicht 12.08.2021 20:15:07
Zuletzt bearbeitet 21.11.2024 06:15:44
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Exposed phpinfo() in PhpFastCache

PhpFastCache is a high-performance backend cache system (packagist package phpfastcache/phpfastcache). In versions before 6.1.5, 7.1.2, and 8.0.7 the `phpinfo()` can be exposed if the `/vendor` is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule (.htaccess, etc). Only the v6, v7 and v8 will be patched respectively in 8.0.7, 7.1.2, 6.1.5. Older versions such as v5, v4 are not longer supported and will **NOT** be patched. As a workaround, protect the `/vendor` directory from public access.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 11

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Phpfastcache ≫ Phpfastcache Version < 6.1.5

Phpfastcache ≫ Phpfastcache Version >= 7.0.0 < 7.1.2

Phpfastcache ≫ Phpfastcache Version >= 8.0.0 < 8.0.7

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	6.13%	0.925

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N
security-advisories@github.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

https://github.com/PHPSocialNetwork/phpfastcache/blob/master/CHANGELOG.md#807

Third Party Advisory

Release Notes

https://github.com/PHPSocialNetwork/phpfastcache/commit/41a77d0d8f126dbd6fbedcd9e6a82e86cdaafa51

Patch

Third Party Advisory

https://github.com/PHPSocialNetwork/phpfastcache/pull/813

Patch

Third Party Advisory

https://github.com/PHPSocialNetwork/phpfastcache/pull/814

Third Party Advisory

https://github.com/PHPSocialNetwork/phpfastcache/pull/815

Third Party Advisory

https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh5-p6r6-g2qc

Third Party Advisory

https://github.com/flextype/flextype/issues/567

Third Party Advisory

Exploit

Issue Tracking

https://packagist.org/packages/phpfastcache/phpfastcache

Third Party Advisory

Product

https://nvd.nist.gov/vuln/detail/CVE-2021-37704

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-37704

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-37704

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-37704