CVE-2021-21706 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Directory traversal
Description	A security issue has been found in PHP on Windows before versions 8.0.11 and 7.4.24. It is possible to construct ZIP archives containing files which are placed outside the destination directory given to ZipArchive::extractTo() because the implementation of php_zip_make_relative_path() doesn't properly cater to absolute directories on Windows; a path starting with a slash is not an absolute path on Windows, but rather a relative path pointing to the current volume.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2421	php7	7.4.23-1	7.4.24-1	Medium	Not affected
AVG-2420	php	8.0.10-1	8.0.11-1	Medium	Not affected

References
https://www.php.net/ChangeLog-8.php#8.0.11 https://www.php.net/ChangeLog-7.php#7.4.24 https://bugs.php.net/bug.php?id=81420 https://github.com/php/php-src/commit/9976b5cd7f36d90b49d1dcf58ec6497f0e592b7d#commitcomment-55762818 https://github.com/php/php-src/commit/931bfc29ceb03265a45b4777992e9fc5ad7ee343 https://github.com/php/php-src/commit/648dce9ea95b6d63685fe6efa88e7ef662a4819a

References

https://www.php.net/ChangeLog-8.php#8.0.11
https://www.php.net/ChangeLog-7.php#7.4.24
https://bugs.php.net/bug.php?id=81420
https://github.com/php/php-src/commit/9976b5cd7f36d90b49d1dcf58ec6497f0e592b7d#commitcomment-55762818
https://github.com/php/php-src/commit/931bfc29ceb03265a45b4777992e9fc5ad7ee343
https://github.com/php/php-src/commit/648dce9ea95b6d63685fe6efa88e7ef662a4819a