Vulnerability Name: | CVE-2021-21706 (CCN-210569) | ||||||||||||||||||||||||||||||||
Assigned: | 2021-09-06 | ||||||||||||||||||||||||||||||||
Published: | 2021-09-06 | ||||||||||||||||||||||||||||||||
Updated: | 2021-11-03 | ||||||||||||||||||||||||||||||||
Summary: | In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS permissions. | ||||||||||||||||||||||||||||||||
CVSS v3 Severity: | 6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) 5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||
CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
| ||||||||||||||||||||||||||||||||
Vulnerability Type: | CWE-22 | ||||||||||||||||||||||||||||||||
Vulnerability Consequences: | File Manipulation | ||||||||||||||||||||||||||||||||
References: | Source: MITRE Type: CNA CVE-2021-21706 Source: CCN Type: PHP Sec Bug #81420 ZipArchive::extractTo may extract outside of destination dir Source: CONFIRM Type: Issue Tracking, Patch, Vendor Advisory N/A Source: XF Type: UNKNOWN php-cve202121706-dir-traversal(210569) Source: CONFIRM Type: Third Party Advisory https://security.netapp.com/advisory/ntap-20211029-0007/ Source: CCN Type: PHP Web site PHP | ||||||||||||||||||||||||||||||||
Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||
Oval Definitions | |||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||
BACK |