CVE-2019-11831

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-11831

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11831.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-11831

Aliases

GHSA-xv7v-rf6g-xwrc

Related

Published

2019-05-09T04:29:01Z

Modified

2024-09-03T03:21:21.869629Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

References

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type: GIT
Repo: https://github.com/drupal/drupal
Events: Introduced

497914920385b7016ac9c9367e0198530787adf2

Fixed

09a33aa82ad15d5179322199f694f1fa7e6fb3e2

Type: GIT
Repo: https://github.com/joomla/joomla-cms
Events: Introduced

c1acb7e6973bd549fe35a02659fe851ff1a37dfe

Fixed

21489b49ec8fe20a9a9ebbc2bb04f19b4df4d5ef

Type: GIT
Repo: https://github.com/typo3/phar-stream-wrapper
Events: Introduced

369f83042ea2e57d98dd04ce4c7318d008497a29

Fixed

e438b0c78652b33407983eb29d215a1a3f68f6f3

Affected versions

3.*

3.0.0

3.0.1

3.0.3

3.1.0_beta1

3.1.0_beta2

3.1.0_beta3

3.1.0_beta4

3.1.0_beta5

7.*

7.0

7.1

7.10

7.11

7.12

7.13

7.14

7.15

7.16

7.17

7.18

7.19

7.2

7.20

7.21

7.22

7.23

7.24

7.25

7.26

7.27

7.28

7.29

7.3

7.30

7.31

7.32

7.33

7.34

7.35

7.36

7.37

7.38

7.39

7.4

7.40

7.41

7.42

7.43

7.44

7.5

7.50

7.51

7.52

7.53

7.54

7.55

7.56

7.57

7.58

7.59

7.6

7.60

7.61

7.62

7.63

7.64

7.65

7.66

7.7

7.8

7.9

v.*

v.2.1.0

v2.*

v2.0.0

v2.0.1

v2.1.0