Knplabs Knp-Snappy vulnerabilities

CVE-2023-41330 [CRITICAL] CWE-502 Snappy PHAR deserialization vulnerability Snappy PHAR deserialization vulnerability ## Issue On March 17th the vulnerability [CVE-2023-28115 was disclosed](https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc), allowing an attacker to gain remote code execution through PHAR deserialization. To fix this issue, the version 1.4.2 was released with an additional check in the affected function to prevent the usage of the `phar://` wrapper. Howe

CVE-2023-28115 [CRITICAL] CWE-502 PHAR deserialization allowing remote code execution PHAR deserialization allowing remote code execution ## Description snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution