CVE-2021-37704: Exposed phpinfo() in PhpFastCache

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2021-37704

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Exposed phpinfo() in PhpFastCache

Source: NVD (National Vulnerability Database)

Vulnerability Description

PhpFastCache is a high-performance backend cache system (packagist package phpfastcache/phpfastcache). In versions before 6.1.5, 7.1.2, and 8.0.7 the `phpinfo()` can be exposed if the `/vendor` is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule (.htaccess, etc). Only the v6, v7 and v8 will be patched respectively in 8.0.7, 7.1.2, 6.1.5. Older versions such as v5, v4 are not longer supported and will **NOT** be patched. As a workaround, protect the `/vendor` directory from public access.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Source: NVD (National Vulnerability Database)

Vulnerability Type

信息暴露

Source: NVD (National Vulnerability Database)

Vulnerability Title

phpfastcache 信息泄露漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

phpfastcache是一套后端缓存系统。 PhpFastCache存在信息泄露漏洞，该漏洞源于软件对于"vendor"目录缺乏有效的访问保护，导致攻击者可以访问"phpinfo()"。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
PHPSocialNetwork	phpfastcache	< 6.1.5	-

II. Public POCs for CVE-2021-37704

#	POC Description	Source Link	Shenlong Link
1	phpinfo() is susceptible to resource exposure in unprotected composer vendor folders via phpfastcache/phpfastcache.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-37704.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2021-37704

Please Login to view more intelligence information

https://github.com/PHPSocialNetwork/phpfastcache/blob/master/CHANGELOG.md#807x_refsource_MISC
https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh5-p6r6-g2qcx_refsource_CONFIRM
https://github.com/PHPSocialNetwork/phpfastcache/pull/814x_refsource_MISC
https://github.com/PHPSocialNetwork/phpfastcache/pull/813x_refsource_MISC
https://github.com/PHPSocialNetwork/phpfastcache/commit/41a77d0d8f126dbd6fbedcd9e6a82e86cdaafa51x_refsource_MISC
https://github.com/flextype/flextype/issues/567x_refsource_MISC
https://packagist.org/packages/phpfastcache/phpfastcachex_refsource_MISC
https://github.com/PHPSocialNetwork/phpfastcache/pull/815x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2021-37704

IV. Related Vulnerabilities

Same product: phpfastcache

CVE-2019-16774
Object injection in cookie driver

Same vendor: PHPSocialNetwork

CVE-2019-16774
Object injection in cookie driver

Same weakness: CWE-200

V. Comments for CVE-2021-37704

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2021-37704

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2021-37704

III. Intelligence Information for CVE-2021-37704

IV. Related Vulnerabilities

V. Comments for CVE-2021-37704

Leave a comment