{"id":"CVE-2021-21706","details":"In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS permissions.","aliases":["BIT-libphp-2021-21706","BIT-php-2021-21706","BIT-php-min-2021-21706"],"modified":"2026-03-14T10:44:22.477145Z","published":"2021-10-04T04:15:08.350Z","related":["SUSE-SU-2022:4068-1","SUSE-SU-2022:4069-1","openSUSE-SU-2024:11167-1","openSUSE-SU-2024:11169-1"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20211029-0007/"},{"type":"FIX","url":"https://bugs.php.net/bug.php?id=81420"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"52ace952a1b65ca80fc2617f11c2fa6dd03f51bd"},{"fixed":"b54c8f052134668b13c4a3177f16b08d82233ade"},{"introduced":"3c7824e16ec4c3cee417262445d2c2b66531c10f"},{"fixed":"7d959d16546198e8012985109e5689abcae18b5f"},{"introduced":"5dc92c2117cafc61daaaaa240fd46c3ac33872a4"},{"fixed":"ca647c529295a4fde269e9a4dfa19fc4f245501c"}],"database_specific":{"versions":[{"introduced":"7.3.0"},{"fixed":"7.3.31"},{"introduced":"7.4.0"},{"fixed":"7.4.24"},{"introduced":"8.0.0"},{"fixed":"8.0.11"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21706.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}