SCA: security update for league/flysystem (GHSA-9f46-5r25-5wfm)

high Tenable Self-Hosted Container Security Plugin ID 413233

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and
2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a
malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or
filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the
supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename
contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that
allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary
code on the system under attack. The unicode whitespace removal has been replaced with a rejection
(exception). For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1. (CVE-2021-32708)

See Also

https://github.com/advisories/GHSA-9f46-5r25-5wfm

Plugin Details

Severity: High

ID: 413233

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2021-32708

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/29/2021

Vulnerability Publication Date: 6/24/2021

Reference Information

CVE: CVE-2021-32708

cwe: CWE-367