Vulnerability-Lookup

CVE-2019-11831 (GCVE-0-2019-11831)

Vulnerability from cvelistv5 – Published: 2019-05-09 03:52 – Updated: 2024-08-04 23:03

Summary

The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://www.drupal.org/sa-core-2019-007	x_refsource_CONFIRM
	https://github.com/TYPO3/phar-stream-wrapper/rele…	x_refsource_MISC
	https://github.com/TYPO3/phar-stream-wrapper/rele…	x_refsource_MISC
	https://typo3.org/security/advisory/typo3-psa-2019-007/	x_refsource_MISC
	https://www.synology.com/security/advisory/Synolo…	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/108302	vdb-entryx_refsource_BID
	https://www.debian.org/security/2019/dsa-4445	vendor-advisoryx_refsource_DEBIAN
	https://seclists.org/bugtraq/2019/May/36	mailing-listx_refsource_BUGTRAQ
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.debian.org/debian-lts-announce/2019…	mailing-listx_refsource_MLIST
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:03:32.804Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.drupal.org/sa-core-2019-007"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://typo3.org/security/advisory/typo3-psa-2019-007/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.synology.com/security/advisory/Synology_SA_19_22"
          },
          {
            "name": "108302",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/108302"
          },
          {
            "name": "DSA-4445",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4445"
          },
          {
            "name": "20190515 [SECURITY] [DSA 4445-1] drupal7 security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/May/36"
          },
          {
            "name": "FEDORA-2019-3c89837025",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/"
          },
          {
            "name": "FEDORA-2019-4d93cf2b34",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/"
          },
          {
            "name": "FEDORA-2019-d5f883429d",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/"
          },
          {
            "name": "[debian-lts-announce] 20190520 [SECURITY] [DLA 1797-1] drupal7 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html"
          },
          {
            "name": "FEDORA-2019-84a50e34a9",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/"
          },
          {
            "name": "FEDORA-2019-41d6ffd6f0",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/"
          },
          {
            "name": "FEDORA-2019-040857fd75",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-05-25T05:06:03",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.drupal.org/sa-core-2019-007"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://typo3.org/security/advisory/typo3-psa-2019-007/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.synology.com/security/advisory/Synology_SA_19_22"
        },
        {
          "name": "108302",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/108302"
        },
        {
          "name": "DSA-4445",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4445"
        },
        {
          "name": "20190515 [SECURITY] [DSA 4445-1] drupal7 security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/May/36"
        },
        {
          "name": "FEDORA-2019-3c89837025",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/"
        },
        {
          "name": "FEDORA-2019-4d93cf2b34",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/"
        },
        {
          "name": "FEDORA-2019-d5f883429d",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/"
        },
        {
          "name": "[debian-lts-announce] 20190520 [SECURITY] [DLA 1797-1] drupal7 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html"
        },
        {
          "name": "FEDORA-2019-84a50e34a9",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/"
        },
        {
          "name": "FEDORA-2019-41d6ffd6f0",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/"
        },
        {
          "name": "FEDORA-2019-040857fd75",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-11831",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.drupal.org/sa-core-2019-007",
              "refsource": "CONFIRM",
              "url": "https://www.drupal.org/sa-core-2019-007"
            },
            {
              "name": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1",
              "refsource": "MISC",
              "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1"
            },
            {
              "name": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1",
              "refsource": "MISC",
              "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1"
            },
            {
              "name": "https://typo3.org/security/advisory/typo3-psa-2019-007/",
              "refsource": "MISC",
              "url": "https://typo3.org/security/advisory/typo3-psa-2019-007/"
            },
            {
              "name": "https://www.synology.com/security/advisory/Synology_SA_19_22",
              "refsource": "CONFIRM",
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_22"
            },
            {
              "name": "108302",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/108302"
            },
            {
              "name": "DSA-4445",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4445"
            },
            {
              "name": "20190515 [SECURITY] [DSA 4445-1] drupal7 security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/May/36"
            },
            {
              "name": "FEDORA-2019-3c89837025",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/"
            },
            {
              "name": "FEDORA-2019-4d93cf2b34",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/"
            },
            {
              "name": "FEDORA-2019-d5f883429d",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/"
            },
            {
              "name": "[debian-lts-announce] 20190520 [SECURITY] [DLA 1797-1] drupal7 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html"
            },
            {
              "name": "FEDORA-2019-84a50e34a9",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/"
            },
            {
              "name": "FEDORA-2019-41d6ffd6f0",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/"
            },
            {
              "name": "FEDORA-2019-040857fd75",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-11831",
    "datePublished": "2019-05-09T03:52:01",
    "dateReserved": "2019-05-08T00:00:00",
    "dateUpdated": "2024-08-04T23:03:32.804Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-11831\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-05-09T04:29:01.100\",\"lastModified\":\"2024-11-21T04:21:50.990\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.\"},{\"lang\":\"es\",\"value\":\"El paquete PharStreamWrapper (tambi\u00e9n conocido como phar-stream-wrapper), versiones 2.x anteriores a 2.1.1 y 3.x anteriores a 3.1.1 para TYPO3, no impide el salto de directorio, lo que permite a los atacantes eludir un mecanismo de protecci\u00f3n de deserializaci\u00f3n, como lo demuestra una URL phar:///path/bad.phar/../good.phar.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"},{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:pharstreamwrapper:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.1.1\",\"matchCriteriaId\":\"371F0F1E-7AFC-4D2C-94C9-658E576AB174\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:pharstreamwrapper:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.1.1\",\"matchCriteriaId\":\"FE43F72C-3838-4B40-82AA-E085E58B75BA\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DC1BD7B7-6D88-42B8-878E-F1318CA5FCAF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D100F7CE-FC64-4CC6-852A-6136D72DA419\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"97A4B8DF-58DA-4AB6-A1F9-331B36409BA3\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0\",\"versionEndExcluding\":\"7.67\",\"matchCriteriaId\":\"6C33BB44-B730-49BC-94D3-EB487FE42CE7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.6.0\",\"versionEndExcluding\":\"8.6.16\",\"matchCriteriaId\":\"E57598D1-ECC8-434B-846B-3ED0CACCBD3A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.7.0\",\"versionEndExcluding\":\"8.7.1\",\"matchCriteriaId\":\"F36A199B-5A45-4E61-BAA9-8E0A34B86A84\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:joomla:joomla\\\\!:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.9.3\",\"versionEndIncluding\":\"3.9.5\",\"matchCriteriaId\":\"FDB7D041-78A2-4EDA-B641-A7F057AEBB6D\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/108302\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://seclists.org/bugtraq/2019/May/36\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://typo3.org/security/advisory/typo3-psa-2019-007/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.debian.org/security/2019/dsa-4445\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.drupal.org/sa-core-2019-007\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.synology.com/security/advisory/Synology_SA_19_22\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/108302\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://seclists.org/bugtraq/2019/May/36\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://typo3.org/security/advisory/typo3-psa-2019-007/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.debian.org/security/2019/dsa-4445\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.drupal.org/sa-core-2019-007\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.synology.com/security/advisory/Synology_SA_19_22\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

GSD-2019-11831

Vulnerability from gsd - Updated: 2023-12-13 01:24

Details

Aliases

CVE-2019-11831

Aliases

CVE-2019-11831

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-11831",
    "description": "The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.",
    "id": "GSD-2019-11831",
    "references": [
      "https://www.debian.org/security/2019/dsa-4445"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-11831"
      ],
      "details": "The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.",
      "id": "GSD-2019-11831",
      "modified": "2023-12-13T01:24:01.796630Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2019-11831",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.drupal.org/sa-core-2019-007",
            "refsource": "CONFIRM",
            "url": "https://www.drupal.org/sa-core-2019-007"
          },
          {
            "name": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1",
            "refsource": "MISC",
            "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1"
          },
          {
            "name": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1",
            "refsource": "MISC",
            "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1"
          },
          {
            "name": "https://typo3.org/security/advisory/typo3-psa-2019-007/",
            "refsource": "MISC",
            "url": "https://typo3.org/security/advisory/typo3-psa-2019-007/"
          },
          {
            "name": "https://www.synology.com/security/advisory/Synology_SA_19_22",
            "refsource": "CONFIRM",
            "url": "https://www.synology.com/security/advisory/Synology_SA_19_22"
          },
          {
            "name": "108302",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/108302"
          },
          {
            "name": "DSA-4445",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2019/dsa-4445"
          },
          {
            "name": "20190515 [SECURITY] [DSA 4445-1] drupal7 security update",
            "refsource": "BUGTRAQ",
            "url": "https://seclists.org/bugtraq/2019/May/36"
          },
          {
            "name": "FEDORA-2019-3c89837025",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/"
          },
          {
            "name": "FEDORA-2019-4d93cf2b34",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/"
          },
          {
            "name": "FEDORA-2019-d5f883429d",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/"
          },
          {
            "name": "[debian-lts-announce] 20190520 [SECURITY] [DLA 1797-1] drupal7 security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html"
          },
          {
            "name": "FEDORA-2019-84a50e34a9",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/"
          },
          {
            "name": "FEDORA-2019-41d6ffd6f0",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/"
          },
          {
            "name": "FEDORA-2019-040857fd75",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=7.0.0,\u003c7.67.0||\u003e=8.0.0,\u003c8.6.16||\u003e=8.7.0,\u003c8.7.1",
          "affected_versions": "All versions starting from 7.0.0 before 7.67.0, all versions starting from 8.0.0 before 8.6.16, all versions starting from 8.7.0 before 8.7.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-502",
            "CWE-937"
          ],
          "date": "2019-05-25",
          "description": "The `PharStreamWrapper` (aka `phar-stream-wrapper`) package does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a `phar:///path/bad.phar/../good.phar` URL.",
          "fixed_versions": [
            "8.6.16",
            "8.7.1"
          ],
          "identifier": "CVE-2019-11831",
          "identifiers": [
            "CVE-2019-11831"
          ],
          "not_impacted": "All versions before 7.0.0, all versions starting from 7.67.0 before 8.0.0, all versions starting from 8.6.16 before 8.7.0, all versions starting from 8.7.1",
          "package_slug": "packagist/drupal/core",
          "pubdate": "2019-05-09",
          "solution": "Upgrade to versions 8.6.16, 8.7.1 or above.",
          "title": "Moderately critical - Third-party libraries - SA-CORE-2019-007",
          "urls": [
            "https://www.drupal.org/SA-CORE-2019-007"
          ],
          "uuid": "d164c553-9484-4a66-b18d-f6561b070f9e"
        },
        {
          "affected_range": "\u003e=7.0.0,\u003c7.67.0||\u003e=8.0.0,\u003c8.6.16||\u003e=8.7.0,\u003c8.7.1",
          "affected_versions": "All versions starting from 7.0.0 before 7.67.0, all versions starting from 8.0.0 before 8.6.16, all versions starting from 8.7.0 before 8.7.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-502",
            "CWE-937"
          ],
          "date": "2019-05-25",
          "description": "The `PharStreamWrapper` (aka `phar-stream-wrapper`) package does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a `phar:///path/bad.phar/../good.phar` URL.",
          "fixed_versions": [
            "8.6.16",
            "8.7.1"
          ],
          "identifier": "CVE-2019-11831",
          "identifiers": [
            "CVE-2019-11831"
          ],
          "not_impacted": "All versions before 7.0.0, all versions starting from 7.67.0 before 8.0.0, all versions starting from 8.6.16 before 8.7.0, all versions starting from 8.7.1",
          "package_slug": "packagist/drupal/drupal",
          "pubdate": "2019-05-09",
          "solution": "Upgrade to versions 8.6.16, 8.7.1 or above.",
          "title": "Moderately critical - Third-party libraries - SA-CORE-2019-007",
          "urls": [
            "https://www.drupal.org/SA-CORE-2019-007"
          ],
          "uuid": "8750ed15-fb0c-49f3-8bc2-68d948b6b62a"
        },
        {
          "affected_range": "\u003e=2.0.0,\u003c2.1.1||\u003e=3.0.0,\u003c3.1.1",
          "affected_versions": "All versions starting from 2.0.0 before 2.1.1, all versions starting from 3.0.0 before 3.1.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-502",
            "CWE-937"
          ],
          "date": "2021-09-30",
          "description": "The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.",
          "fixed_versions": [
            "2.1.1",
            "3.1.1"
          ],
          "identifier": "CVE-2019-11831",
          "identifiers": [
            "GHSA-xv7v-rf6g-xwrc",
            "CVE-2019-11831"
          ],
          "not_impacted": "All versions before 2.0.0, all versions starting from 2.1.1 before 3.0.0, all versions starting from 3.1.1",
          "package_slug": "packagist/typo3/phar-stream-wrapper",
          "pubdate": "2021-09-30",
          "solution": "Upgrade to versions 2.1.1, 3.1.1 or above.",
          "title": "Deserialization of Untrusted Data",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-11831",
            "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1",
            "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1",
            "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/",
            "https://seclists.org/bugtraq/2019/May/36",
            "https://typo3.org/security/advisory/typo3-psa-2019-007/",
            "https://www.debian.org/security/2019/dsa-4445",
            "https://www.drupal.org/sa-core-2019-007",
            "https://www.synology.com/security/advisory/Synology_SA_19_22",
            "http://www.securityfocus.com/bid/108302",
            "https://github.com/advisories/GHSA-xv7v-rf6g-xwrc"
          ],
          "uuid": "632cb0ec-7c9e-4f44-80dd-ca0170a9ba63"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:typo3:pharstreamwrapper:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.1.1",
                "versionStartIncluding": "2.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typo3:pharstreamwrapper:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.1.1",
                "versionStartIncluding": "3.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.67",
                "versionStartIncluding": "7.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "8.6.16",
                "versionStartIncluding": "8.6.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "8.7.1",
                "versionStartIncluding": "8.7.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.9.5",
                "versionStartIncluding": "3.9.3",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-11831"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                },
                {
                  "lang": "en",
                  "value": "CWE-502"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://typo3.org/security/advisory/typo3-psa-2019-007/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://typo3.org/security/advisory/typo3-psa-2019-007/"
            },
            {
              "name": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1"
            },
            {
              "name": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1"
            },
            {
              "name": "https://www.drupal.org/sa-core-2019-007",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.drupal.org/sa-core-2019-007"
            },
            {
              "name": "https://www.synology.com/security/advisory/Synology_SA_19_22",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_22"
            },
            {
              "name": "108302",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/108302"
            },
            {
              "name": "DSA-4445",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4445"
            },
            {
              "name": "20190515 [SECURITY] [DSA 4445-1] drupal7 security update",
              "refsource": "BUGTRAQ",
              "tags": [
                "Issue Tracking",
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://seclists.org/bugtraq/2019/May/36"
            },
            {
              "name": "FEDORA-2019-3c89837025",
              "refsource": "FEDORA",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/"
            },
            {
              "name": "FEDORA-2019-4d93cf2b34",
              "refsource": "FEDORA",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/"
            },
            {
              "name": "FEDORA-2019-d5f883429d",
              "refsource": "FEDORA",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/"
            },
            {
              "name": "[debian-lts-announce] 20190520 [SECURITY] [DLA 1797-1] drupal7 security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html"
            },
            {
              "name": "FEDORA-2019-41d6ffd6f0",
              "refsource": "FEDORA",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/"
            },
            {
              "name": "FEDORA-2019-84a50e34a9",
              "refsource": "FEDORA",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/"
            },
            {
              "name": "FEDORA-2019-040857fd75",
              "refsource": "FEDORA",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-10-01T15:31Z",
      "publishedDate": "2019-05-09T04:29Z"
    }
  }
}

GHSA-XV7V-RF6G-XWRC

Vulnerability from github – Published: 2021-09-30 17:10 – Updated: 2021-09-30 16:49

Summary

Directory Traversal in typo3/phar-stream-wrapper

Details

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/phar-stream-wrapper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/phar-stream-wrapper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.67.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.6.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.7.0"
            },
            {
              "fixed": "8.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/drupal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.67.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/drupal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.6.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/drupal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.7.0"
            },
            {
              "fixed": "8.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-11831"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-30T16:49:05Z",
    "nvd_published_at": "2019-05-09T04:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.",
  "id": "GHSA-xv7v-rf6g-xwrc",
  "modified": "2021-09-30T16:49:05Z",
  "published": "2021-09-30T17:10:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11831"
    },
    {
      "type": "WEB",
      "url": "https://www.synology.com/security/advisory/Synology_SA_19_22"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-core-2019-007"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2019/dsa-4445"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-psa-2019-007"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/May/36"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TYPO3/phar-stream-wrapper"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/phar-stream-wrapper/CVE-2019-11831.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-11831.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-11831.yaml"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108302"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directory Traversal in typo3/phar-stream-wrapper"
}

CERTFR-2019-AVI-199

Vulnerability from certfr_avis - Published: 2019-05-09 - Updated: 2019-05-09

Une vulnérabilité a été découverte dans Drupal . Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Drupal	Drupal	Drupal versions 8.7 antérieures à 8.7.1
Drupal	Drupal	Drupal versions 7 antérieures à 7.67
Drupal	Drupal	Drupal versions 8 antérieures à 8.6.x
Drupal	Drupal	Drupal versions 8.6 antérieures à 8.6.16

References

Title

Publication Time

FKIE_CVE-2019-11831

Vulnerability from fkie_nvd - Published: 2019-05-09 04:29 - Updated: 2024-11-21 04:21

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve@mitre.org	http://www.securityfocus.com/bid/108302	Third Party Advisory, VDB Entry
cve@mitre.org	https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1	Release Notes, Third Party Advisory
cve@mitre.org	https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1	Release Notes, Third Party Advisory
cve@mitre.org	https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html	Mailing List, Third Party Advisory
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/
cve@mitre.org	https://seclists.org/bugtraq/2019/May/36	Issue Tracking, Mailing List, Third Party Advisory
cve@mitre.org	https://typo3.org/security/advisory/typo3-psa-2019-007/	Vendor Advisory
cve@mitre.org	https://www.debian.org/security/2019/dsa-4445	Third Party Advisory
cve@mitre.org	https://www.drupal.org/sa-core-2019-007	Third Party Advisory
cve@mitre.org	https://www.synology.com/security/advisory/Synology_SA_19_22	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/108302	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/
af854a3a-2127-422b-91ae-364da2661108	https://seclists.org/bugtraq/2019/May/36	Issue Tracking, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://typo3.org/security/advisory/typo3-psa-2019-007/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2019/dsa-4445	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.drupal.org/sa-core-2019-007	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.synology.com/security/advisory/Synology_SA_19_22	Third Party Advisory

Impacted products

Vendor	Product	Version
typo3	pharstreamwrapper	*
typo3	pharstreamwrapper	*
debian	debian_linux	8.0
debian	debian_linux	9.0
fedoraproject	fedora	28
fedoraproject	fedora	29
fedoraproject	fedora	30
drupal	drupal	*
drupal	drupal	*
drupal	drupal	*
joomla	joomla\!	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:typo3:pharstreamwrapper:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "371F0F1E-7AFC-4D2C-94C9-658E576AB174",
              "versionEndExcluding": "2.1.1",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:pharstreamwrapper:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE43F72C-3838-4B40-82AA-E085E58B75BA",
              "versionEndExcluding": "3.1.1",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC1BD7B7-6D88-42B8-878E-F1318CA5FCAF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*",
              "matchCriteriaId": "D100F7CE-FC64-4CC6-852A-6136D72DA419",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
              "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6C33BB44-B730-49BC-94D3-EB487FE42CE7",
              "versionEndExcluding": "7.67",
              "versionStartIncluding": "7.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E57598D1-ECC8-434B-846B-3ED0CACCBD3A",
              "versionEndExcluding": "8.6.16",
              "versionStartIncluding": "8.6.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F36A199B-5A45-4E61-BAA9-8E0A34B86A84",
              "versionEndExcluding": "8.7.1",
              "versionStartIncluding": "8.7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FDB7D041-78A2-4EDA-B641-A7F057AEBB6D",
              "versionEndIncluding": "3.9.5",
              "versionStartIncluding": "3.9.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL."
    },
    {
      "lang": "es",
      "value": "El paquete PharStreamWrapper (tambi\u00e9n conocido como phar-stream-wrapper), versiones 2.x anteriores a 2.1.1 y 3.x anteriores a 3.1.1 para TYPO3, no impide el salto de directorio, lo que permite a los atacantes eludir un mecanismo de protecci\u00f3n de deserializaci\u00f3n, como lo demuestra una URL phar:///path/bad.phar/../good.phar."
    }
  ],
  "id": "CVE-2019-11831",
  "lastModified": "2024-11-21T04:21:50.990",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-05-09T04:29:01.100",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/108302"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/May/36"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://typo3.org/security/advisory/typo3-psa-2019-007/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2019/dsa-4445"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.drupal.org/sa-core-2019-007"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.synology.com/security/advisory/Synology_SA_19_22"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/108302"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/May/36"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://typo3.org/security/advisory/typo3-psa-2019-007/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2019/dsa-4445"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.drupal.org/sa-core-2019-007"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.synology.com/security/advisory/Synology_SA_19_22"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        },
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2019-14071

Vulnerability from cnvd - Published: 2019-05-14

Title

TYPO3 PharStreamWrapper远程代码执行的漏洞

Description

TYPO3 PharStreamWrapper是瑞士TYPO3协会的一款用于流处理的拦截器。 Drupal core第三方类库TYPO3/PharStreamWrapper包2.1.1之前的2.x版本和3.1.1之前的3.x版本存在反序列化保护机制可被绕过导致远程代码执行的漏洞，恶意攻击者通过构造含有恶意代码的Phar文件实现代码执行效果，从而影响到业务系统的安全性。

Severity

高

Patch Name

TYPO3 PharStreamWrapper远程代码执行的漏洞的补丁

Patch Description

Formal description

用户可联系供应商获得补丁信息： https://www.drupal.org/sa-core-2019-007

Reference

https://web.nvd.nist.gov//vuln/detail/CVE-2019-11831

Impacted products

Name
['Drupal core 7.x', 'TYPO3 PharStreamWrapper 2.*', 'TYPO3 PharStreamWrapper 3.x', 'Drupal core 8.x']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "108302"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-11831",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11831"
    }
  },
  "description": "TYPO3 PharStreamWrapper\u662f\u745e\u58ebTYPO3\u534f\u4f1a\u7684\u4e00\u6b3e\u7528\u4e8e\u6d41\u5904\u7406\u7684\u62e6\u622a\u5668\u3002\n\nDrupal core\u7b2c\u4e09\u65b9\u7c7b\u5e93TYPO3/PharStreamWrapper\u53052.1.1\u4e4b\u524d\u76842.x\u7248\u672c\u548c3.1.1\u4e4b\u524d\u76843.x\u7248\u672c\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u4fdd\u62a4\u673a\u5236\u53ef\u88ab\u7ed5\u8fc7\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u7684\u6f0f\u6d1e\uff0c\u6076\u610f\u653b\u51fb\u8005\u901a\u8fc7\u6784\u9020\u542b\u6709\u6076\u610f\u4ee3\u7801\u7684Phar\u6587\u4ef6\u5b9e\u73b0\u4ee3\u7801\u6267\u884c\u6548\u679c\uff0c\u4ece\u800c\u5f71\u54cd\u5230\u4e1a\u52a1\u7cfb\u7edf\u7684\u5b89\u5168\u6027\u3002",
  "discovererName": "Daniel le Gall",
  "formalWay": "\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://www.drupal.org/sa-core-2019-007",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-14071",
  "openTime": "2019-05-14",
  "patchDescription": "TYPO3 PharStreamWrapper\u662f\u745e\u58ebTYPO3\u534f\u4f1a\u7684\u4e00\u6b3e\u7528\u4e8e\u6d41\u5904\u7406\u7684\u62e6\u622a\u5668\u3002\r\n\r\nDrupal core\u7b2c\u4e09\u65b9\u7c7b\u5e93TYPO3/PharStreamWrapper\u53052.1.1\u4e4b\u524d\u76842.x\u7248\u672c\u548c3.1.1\u4e4b\u524d\u76843.x\u7248\u672c\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u4fdd\u62a4\u673a\u5236\u53ef\u88ab\u7ed5\u8fc7\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u7684\u6f0f\u6d1e\uff0c\u6076\u610f\u653b\u51fb\u8005\u901a\u8fc7\u6784\u9020\u542b\u6709\u6076\u610f\u4ee3\u7801\u7684Phar\u6587\u4ef6\u5b9e\u73b0\u4ee3\u7801\u6267\u884c\u6548\u679c\uff0c\u4ece\u800c\u5f71\u54cd\u5230\u4e1a\u52a1\u7cfb\u7edf\u7684\u5b89\u5168\u6027\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "TYPO3 PharStreamWrapper\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u7684\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Drupal core 7.x",
      "TYPO3 PharStreamWrapper 2.*",
      "TYPO3 PharStreamWrapper 3.x",
      "Drupal core 8.x"
    ]
  },
  "referenceLink": "https://web.nvd.nist.gov//vuln/detail/CVE-2019-11831",
  "serverity": "\u9ad8",
  "submitTime": "2019-05-09",
  "title": "TYPO3 PharStreamWrapper\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u7684\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-11831 (GCVE-0-2019-11831)

GSD-2019-11831

GHSA-XV7V-RF6G-XWRC

CERTFR-2019-AVI-199

Solution

FKIE_CVE-2019-11831

CNVD-2019-14071

Tags

Sightings

Nomenclature