{
  "schema_version": "1.4.0",
  "id": "GHSA-cvh5-p6r6-g2qc",
  "modified": "2021-08-26T20:11:49Z",
  "published": "2021-08-30T16:13:40Z",
  "aliases": [
    "CVE-2021-37704"
  ],
  "summary": "Exposed phpinfo() leadked via documentation files",
  "details": "### Impact\nThe `phpinfo()` can be exposed if the `/vendor` is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule (.htaccess, etc).\n\n### Patches\nOnly the v6, v7 and v8 will be patched respectively in 8.0.7, 7.1.2, 6.1.5.\nOlder versions such as v5, v4 are not longer supported and will **NOT** be patched.\n\n### Workarounds\nProtect the `/vendor` directory from public access.\n\n### References\nThe first issue revealing this vulnerability is located here: https://github.com/flextype/flextype/issues/567\nV6 fix: https://github.com/PHPSocialNetwork/phpfastcache/pull/815\nV7 fix: https://github.com/PHPSocialNetwork/phpfastcache/pull/814\nV8 fix: https://github.com/PHPSocialNetwork/phpfastcache/pull/813\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [our issue tracker](https://github.com/PHPSocialNetwork/phpfastcache/issues)\n* Email us at [security@geolim4.com](mailto:security@geolim4.com)\n",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpfastcache/phpfastcache"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.1.5"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpfastcache/phpfastcache"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.1.2"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpfastcache/phpfastcache"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.7"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh5-p6r6-g2qc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37704"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flextype/flextype/issues/567"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPSocialNetwork/phpfastcache/pull/813"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPSocialNetwork/phpfastcache/pull/814"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPSocialNetwork/phpfastcache/pull/815"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPSocialNetwork/phpfastcache/commit/41a77d0d8f126dbd6fbedcd9e6a82e86cdaafa51"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPSocialNetwork/phpfastcache/blob/master/CHANGELOG.md#807"
    },
    {
      "type": "WEB",
      "url": "https://packagist.org/packages/phpfastcache/phpfastcache"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-668"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-26T20:11:49Z",
    "nvd_published_at": "2021-08-12T20:15:00Z"
  }
}