CVE-2021-37704 — MEDIUM (5.4)

Q: How severe is CVE-2021-37704?

CVE-2021-37704 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-37704?

Check the references section above for vendor advisories and patch information. Affected products include: Phpfastcache Phpfastcache.

Vulnerability Description

PhpFastCache is a high-performance backend cache system (packagist package phpfastcache/phpfastcache). In versions before 6.1.5, 7.1.2, and 8.0.7 the `phpinfo()` can be exposed if the `/vendor` is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule (.htaccess, etc). Only the v6, v7 and v8 will be patched respectively in 8.0.7, 7.1.2, 6.1.5. Older versions such as v5, v4 are not longer supported and will **NOT** be patched. As a workaround, protect the `/vendor` directory from public access.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Phpfastcache	Phpfastcache	< 6.1.5

Related Weaknesses (CWE)

CWE-668 CWE-200

References

https://github.com/PHPSocialNetwork/phpfastcache/blob/master/CHANGELOG.md#807Release NotesThird Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/commit/41a77d0d8f126dbd6fbedcd9PatchThird Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/pull/813PatchThird Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/pull/814Third Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/pull/815Third Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh5-pThird Party Advisory
https://github.com/flextype/flextype/issues/567ExploitIssue TrackingThird Party Advisory
https://packagist.org/packages/phpfastcache/phpfastcacheProductThird Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/blob/master/CHANGELOG.md#807Release NotesThird Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/commit/41a77d0d8f126dbd6fbedcd9PatchThird Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/pull/813PatchThird Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/pull/814Third Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/pull/815Third Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh5-pThird Party Advisory
https://github.com/flextype/flextype/issues/567ExploitIssue TrackingThird Party Advisory

FAQ

What is CVE-2021-37704?

CVE-2021-37704 is a vulnerability with a CVSS score of 5.4 (MEDIUM). PhpFastCache is a high-performance backend cache system (packagist package phpfastcache/phpfastcache). In versions before 6.1.5, 7.1.2, and 8.0.7 the `phpinfo()` can be exposed if the `/vendor` is not...

How severe is CVE-2021-37704?

CVE-2021-37704 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-37704?

Check the references section above for vendor advisories and patch information. Affected products include: Phpfastcache Phpfastcache.