GHSA-xv7v-rf6g-xwrc

Suggest an improvement
Source
https://github.com/advisories/GHSA-xv7v-rf6g-xwrc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-xv7v-rf6g-xwrc/GHSA-xv7v-rf6g-xwrc.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-xv7v-rf6g-xwrc
Aliases
Published
2021-09-30T17:10:14Z
Modified
2025-11-20T23:27:54.873160Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Directory Traversal in typo3/phar-stream-wrapper
Details

The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

Database specific 
{
    "cwe_ids": [
        "CWE-22",
        "CWE-502"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2019-05-09T04:29:00Z",
    "github_reviewed_at": "2021-09-30T16:49:05Z",
    "severity": "CRITICAL"
}
References

Affected packages

Packagist

typo3/phar-stream-wrapper

Package

Name
typo3/phar-stream-wrapper
Purl
pkg:composer/typo3/phar-stream-wrapper

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.1.1

Affected versions

v2.*

v2.0.0
v2.0.1
v2.1.0

typo3/phar-stream-wrapper

Package

Name
typo3/phar-stream-wrapper
Purl
pkg:composer/typo3/phar-stream-wrapper

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.1.1

Affected versions

v3.*

v3.0.0
v3.0.1
v3.1.0

drupal/core

Package

Name
drupal/core
Purl
pkg:composer/drupal/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.67.0

drupal/core

Package

Name
drupal/core
Purl
pkg:composer/drupal/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0
Fixed
8.6.16

Affected versions

8.*

8.0.0
8.0.1
8.0.2
8.0.3
8.0.4
8.0.5
8.0.6
8.1.0-beta1
8.1.0-beta2
8.1.0-rc1
8.1.0
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5
8.1.6
8.1.7
8.1.8
8.1.9
8.1.10
8.2.0-beta1
8.2.0-beta2
8.2.0-beta3
8.2.0-rc1
8.2.0-rc2
8.2.0
8.2.1
8.2.2
8.2.3
8.2.4
8.2.5
8.2.6
8.2.7
8.2.8
8.3.0-alpha1
8.3.0-beta1
8.3.0-rc1
8.3.0-rc2
8.3.0
8.3.1
8.3.2
8.3.3
8.3.4
8.3.5
8.3.6
8.3.7
8.3.8
8.3.9
8.4.0-alpha1
8.4.0-beta1
8.4.0-rc1
8.4.0-rc2
8.4.0
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.4.6
8.4.7
8.4.8
8.5.0-alpha1
8.5.0-beta1
8.5.0-rc1
8.5.0
8.5.1
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6
8.5.7
8.5.8
8.5.9
8.5.10
8.5.11
8.5.12
8.5.13
8.5.14
8.5.15
8.6.0-alpha1
8.6.0-beta1
8.6.0-beta2
8.6.0-rc1
8.6.0
8.6.1
8.6.2
8.6.3
8.6.4
8.6.5
8.6.6
8.6.7
8.6.8
8.6.9
8.6.10
8.6.11
8.6.12
8.6.13
8.6.14
8.6.15

drupal/core

Package

Name
drupal/core
Purl
pkg:composer/drupal/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.7.0
Fixed
8.7.1

Affected versions

8.*

8.7.0

drupal/drupal

Package

Name
drupal/drupal
Purl
pkg:composer/drupal/drupal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.67.0

drupal/drupal

Package

Name
drupal/drupal
Purl
pkg:composer/drupal/drupal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0
Fixed
8.6.16

Affected versions

8.*

8.0.0
8.0.1
8.0.2
8.0.3
8.0.4
8.0.5
8.0.6
8.1.0-beta1
8.1.0-beta2
8.1.0-rc1
8.1.0
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5
8.1.6
8.1.7
8.1.8
8.1.9
8.1.10
8.2.0-beta1
8.2.0-beta2
8.2.0-beta3
8.2.0-rc1
8.2.0-rc2
8.2.0
8.2.1
8.2.2
8.2.3
8.2.4
8.2.5
8.2.6
8.2.7
8.2.8
8.3.0-alpha1
8.3.0-beta1
8.3.0-rc1
8.3.0-rc2
8.3.0
8.3.1
8.3.2
8.3.3
8.3.4
8.3.5
8.3.6
8.3.7
8.3.8
8.3.9
8.4.0-alpha1
8.4.0-beta1
8.4.0-rc1
8.4.0-rc2
8.4.0
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.4.6
8.4.7
8.4.8
8.5.0-alpha1
8.5.0-beta1
8.5.0-rc1
8.5.0
8.5.1
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6
8.5.7
8.5.8
8.5.9
8.5.10
8.5.11
8.5.12
8.5.13
8.5.14
8.5.15
8.6.0-alpha1
8.6.0-beta1
8.6.0-beta2
8.6.0-rc1
8.6.0
8.6.1
8.6.2
8.6.3
8.6.4
8.6.5
8.6.6
8.6.7
8.6.8
8.6.9
8.6.10
8.6.11
8.6.12
8.6.13
8.6.14
8.6.15

drupal/drupal

Package

Name
drupal/drupal
Purl
pkg:composer/drupal/drupal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.7.0
Fixed
8.7.1

Affected versions

8.*

8.7.0