CVE-2019-11831 — Path Traversal in Pharstreamwrapper
Severity
9.8CRITICALNVD
EPSS
9.7%
top 7.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 9
Latest updateSep 30
Description
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages6 packages
Also affects: Debian Linux 8.0, 9.0, Fedora 28, 29, 30
🔴Vulnerability Details
5OSV▶
CVE-2019-11831: This security release fixes third-party dependencies included in or required by Drupal core↗2019-05-08
📋Vendor Advisories
1💬Community
4Bugzilla
▶
Bugzilla▶
CVE-2019-11831 phar-stream-wrapper: TYP03 does not prevent directory traversal resulting in bypass of deserialization of protection mechanism↗2019-05-10
Bugzilla
▶
Bugzilla
▶