Absolute Path Traversal in PHP - CVE-2021-21706

 

Absolute Path Traversal in PHP - CVE-2021-21706

Published: September 29, 2021 / Updated: September 30, 2021


Vulnerability identifier: #VU56905
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-21706
CWE-ID: CWE-36
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: PHP Group
Affected software:
PHP

Detailed vulnerability description

The vulnerability allows a remote attacker overwrite files on the system.

The vulnerability exists due to insufficient filtration of file names in the php_zip_make_relative_path() function on Windows systems. A remote attacker can construct a specially crafted ZIP archive, which once extracted by the ZipArchive::extractTo() function, can overwrite files outside of the destination directory.

Successful exploitation of the vulnerability may allow an attacker to overwrite arbitrary files on the system with privileges of the web server, but requires that the web application is running on Windows.


How to mitigate CVE-2021-21706

Install updates from vendor's website.

Sources