CVE-2021-21706

Summary

In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS permissions.

Affected Software

VendorProductVersion RangeStatus
PHP GroupPHP7.3.x < 7.3.31affected
PHP GroupPHP7.4.x < 7.4.24affected
PHP GroupPHP8.0.X < 8.0.11affected

Weaknesses

  • CWE-24: CWE-24 Path Traversal: '../filedir'

ADP Enrichment

CVE Program Container

Additional References

References