CVE-2021-21703

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-21703
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21703.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-21703
Aliases
Related
Published
2021-10-25T06:15:06Z
Modified
2024-10-12T06:50:25.055671Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.

References

Affected packages

Debian:11 / php7.4

Package

Name
php7.4
Purl
pkg:deb/debian/php7.4?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.4.25-1+deb11u1

Affected versions

7.*

7.4.21-1+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/php/php-src

Affected ranges

Type
GIT
Repo
https://github.com/php/php-src
Events