GHSA-6rgh-r6j3-3223

Source

https://github.com/advisories/GHSA-6rgh-r6j3-3223

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-6rgh-r6j3-3223/GHSA-6rgh-r6j3-3223.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6rgh-r6j3-3223

Aliases

CVE-2024-47049

Published

2024-09-17T15:31:23Z

Modified

2024-09-17T21:42:27.121318Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

czim/file-handling vulnerable to SSRF and directory traversal

Details

The czim/file-handling package before 1.5.0 and 2.x before 2.3.0 (used with PHP Composer) does not properly validate URLs within makeFromUrl and makeFromAny, leading to SSRF, and to directory traversal for the reading of local files.

References

Affected packages

Packagist / czim/file-handling

Package

Name: czim/file-handling
Purl: pkg:composer/czim/file-handling

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.0

Affected versions

0.*

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.9.10

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2

1.4.0

Packagist / czim/file-handling

Package

Name: czim/file-handling
Purl: pkg:composer/czim/file-handling

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.3.0

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.2.1