正文

phpfastcache phpfastcache 信息暴露

admin
admin V管理员 /0 评论 /10 阅读
0417
此篇文章发布距今已超过1115天,您需要注意文章的内容或图片是否可用!

CVE编号

CVE-2021-37704

利用情况

暂无

补丁情况

N/A

披露时间

2021-08-13
漏洞描述
PhpFastCache is a high-performance backend cache system (packagist package phpfastcache/phpfastcache). In versions before 6.1.5, 7.1.2, and 8.0.7 the `phpinfo()` can be exposed if the `/vendor` is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule (.htaccess, etc). Only the v6, v7 and v8 will be patched respectively in 8.0.7, 7.1.2, 6.1.5. Older versions such as v5, v4 are not longer supported and will **NOT** be patched. As a workaround, protect the `/vendor` directory from public access.
解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接
https://github.com/flextype/flextype/issues/567
https://github.com/PHPSocialNetwork/phpfastcache/blob/master/CHANGELOG.md#807
https://github.com/PHPSocialNetwork/phpfastcache/commit/41a77d0d8f126dbd6fbed...
https://github.com/PHPSocialNetwork/phpfastcache/pull/813
https://github.com/PHPSocialNetwork/phpfastcache/pull/814
https://github.com/PHPSocialNetwork/phpfastcache/pull/815
https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh...
https://packagist.org/packages/phpfastcache/phpfastcache
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 phpfastcache phpfastcache * Up to
(excluding)
6.1.5
运行在以下环境
应用 phpfastcache phpfastcache * From
(including)
7.0.0 		Up to
(excluding)
7.1.2
运行在以下环境
应用 phpfastcache phpfastcache * From
(including)
8.0.0 		Up to
(excluding)
8.0.7
CVSS3评分 4.3
  • 攻击路径 网络
  • 攻击复杂度 低
  • 权限要求 低
  • 影响范围 未更改
  • 用户交互 无
  • 可用性 无
  • 保密性 低
  • 完整性 无
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CWE-ID 漏洞类型 CWE-200 信息暴露 CWE-668 将资源暴露给错误范围