Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem
CVE-2021-32708

9.8CRITICAL

Key Information:

Vendor: ThePHPleague
Status: Flysystem
Vendor: CVE Published:; 24 June 2021

🔔 Create ThePHPleague Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2021-32708?

Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. The unicode whitespace removal has been replaced with a rejection (exception). For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.

Affected Version(s)

flysystem < 1.1.4 < 1.1.4

flysystem >= 2.0.0, < 2.1.1 < 2.0.0, 2.1.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-32708
Created by fazilbaig1