CVE-2019-11831
Published: 9 May 2019
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
Priority
CVSS 3 base score: 9.8
Status
Package | Release | Status |
---|---|---|
drupal7 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(end of standard support, was needs-triage)
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11831
- https://www.drupal.org/SA-CORE-2019-007
- https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1
- https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1
- https://typo3.org/security/advisory/typo3-psa-2019-007/
- NVD
- Launchpad
- Debian