---

CVE-2021-21706 - log back

CVE-2021-21706 edited at 26 Sep 2021 08:36:04
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Directory traversal
Description	+ A security issue has been found in PHP on Windows before versions 8.0.11 and 7.4.24. It is possible to construct ZIP archives containing files which are placed outside the destination directory given to ZipArchive::extractTo() because the implementation of php_zip_make_relative_path() doesn't properly cater to absolute directories on Windows; a path starting with a slash is not an absolute path on Windows, but rather a relative path pointing to the current volume.
References	+ https://www.php.net/ChangeLog-8.php#8.0.11 + https://www.php.net/ChangeLog-7.php#7.4.24 + https://bugs.php.net/bug.php?id=81420 + https://github.com/php/php-src/commit/9976b5cd7f36d90b49d1dcf58ec6497f0e592b7d#commitcomment-55762818 + https://github.com/php/php-src/commit/931bfc29ceb03265a45b4777992e9fc5ad7ee343 + https://github.com/php/php-src/commit/648dce9ea95b6d63685fe6efa88e7ef662a4819a
Notes

CVE-2021-21706 created at 26 Sep 2021 08:27:43