CVE-2019-11830Deserialization of Untrusted Data in Pharstreamwrapper

CWE-502Deserialization of Untrusted Data8 documents5 sources
Severity
9.8CRITICALNVD
EPSS
2.4%
top 14.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Typo3 PharstreamwrapperTypo3 Phar-stream-wrapper
Timeline
PublishedMay 9
Latest updateMay 24

Description

PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDtypo3/pharstreamwrapper2.0.02.1.1+1
Packagisttypo3/phar-stream-wrapper2.0.02.1.1+1

🔴Vulnerability Details

3
OSV
PharStreamWrapper for Typo3 unsafe deserialization vulnerability2022-05-24
GHSA
PharStreamWrapper for Typo3 unsafe deserialization vulnerability2022-05-24
CVEList
CVE-2019-11830: PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 22019-05-09

💬Community

4
Bugzilla
CVE-2019-11830 CVE-2019-11831 php-typo3-phar-stream-wrapper2: various flaws [fedora-all]2019-05-10
Bugzilla
CVE-2019-11830 CVE-2019-11831 php-typo3-phar-stream-wrapper: various flaws [fedora-all]2019-05-10
Bugzilla
CVE-2019-11830 phar-stream-wrapper: mishandling of phar stub parsing leads to bypass a deserialization of protection mechanism2019-05-10
Bugzilla
CVE-2019-11830 CVE-2019-11831 php-typo3-phar-stream-wrapper2: various flaws [epel-7]2019-05-10
CVE-2019-11830 — Deserialization of Untrusted Data | cvebase