CVE-2013-1397 — Code Injection in Symfony

CWE-94 — Code Injection5 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.6%

top 29.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Symfony Yaml Sensiolabs Symfony

Timeline

PublishedJun 2

Latest updateMay 17

Description

Symfony 2.0.x before 2.0.22, 2.1.x before 2.1.7, and 2.2.x remote attackers to execute arbitrary PHP code via a serialized PHP object to the (1) Yaml::parse or (2) Yaml\Parser::parse function, a different vulnerability than CVE-2013-1348.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶Packagistsymfony/yaml2.0.0 — 2.0.22+2

▶Packagistsymfony/symfony2.2.0-BETA1 — 2.2.0-BETA2+2

▶NVDsensiolabs/symfony40 versions+39

🔴Vulnerability Details

OSV

Symfony Arbitrary PHP code Execution↗2022-05-17

▶

GHSA

Symfony Arbitrary PHP code Execution↗2022-05-17

▶

GHSA

Symphony Vulnerable to PHP Code Injection via YAML Parsing↗2022-05-17

▶

CVEList

CVE-2013-1397: Symfony 2↗2014-06-02

▶