CVE-2021-37704 MEDIUM

CVE-2021-37704: Exposed phpinfo() in PhpFastCache

Vendor Phpsocialnetwork

Product phpfastcache

Weakness CWE-200 · Info exposure

Published August 12, 2021

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

What the vulnerability does

01Description

PhpFastCache is a high-performance backend cache system (packagist package phpfastcache/phpfastcache). In versions before 6.1.5, 7.1.2, and 8.0.7 the `phpinfo()` can be exposed if the `/vendor` is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule (.htaccess, etc). Only the v6, v7 and v8 will be patched respectively in 8.0.7, 7.1.2, 6.1.5. Older versions such as v5, v4 are not longer supported and will **NOT** be patched. As a workaround, protect the `/vendor` directory from public access.

Key dates

02Disclosure timeline

August 12, 2021 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-37704 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

Identifiers

CVE CVE-2021-37704

CWE CWE-200

CVSS 5.4 / MEDIUM

Affected versions

Vendor Phpsocialnetwork

Product phpfastcache

Affected < 6.1.5

Vendor Phpsocialnetwork

Product phpfastcache

Affected >= 7.0.0, < 7.1.2

Vendor Phpsocialnetwork

Product phpfastcache

Affected >= 8.0.0, < 8.0.7

CVE-2021-37704: Exposed phpinfo() in PhpFastCache

01Description

02Disclosure timeline

03References

04Related CVE