Critical severityNVD Advisory· Published May 9, 2019· Updated Aug 4, 2024
CVE-2019-11831
CVE-2019-11831
Description
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/phar-stream-wrapperPackagist | >= 2.0.0, < 2.1.1 | 2.1.1 |
typo3/phar-stream-wrapperPackagist | >= 3.0.0, < 3.1.1 | 3.1.1 |
drupal/corePackagist | >= 7.0.0, < 7.67.0 | 7.67.0 |
drupal/corePackagist | >= 8.0.0, < 8.6.16 | 8.6.16 |
drupal/corePackagist | >= 8.7.0, < 8.7.1 | 8.7.1 |
drupal/drupalPackagist | >= 7.0.0, < 7.67.0 | 7.67.0 |
drupal/drupalPackagist | >= 8.0.0, < 8.6.16 | 8.6.16 |
drupal/drupalPackagist | >= 8.7.0, < 8.7.1 | 8.7.1 |
Affected products
4- TYPO3/PharStreamWrapperdescription
- ghsa-coords3 versions
>= 7.0.0, < 7.67.0+ 2 more
- (no CPE)range: >= 7.0.0, < 7.67.0
- (no CPE)range: >= 7.0.0, < 7.67.0
- (no CPE)range: >= 2.0.0, < 2.1.1
Patches
Vulnerability mechanics
References
33- github.com/advisories/GHSA-xv7v-rf6g-xwrcghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2019-11831ghsaADVISORY
- www.debian.org/security/2019/dsa-4445ghsavendor-advisoryx_refsource_DEBIANWEB
- www.securityfocus.com/bid/108302ghsavdb-entryx_refsource_BIDWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-11831.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-11831.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/phar-stream-wrapper/CVE-2019-11831.yamlghsaWEB
- github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1ghsax_refsource_MISCWEB
- github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2019/05/msg00029.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAWghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBHghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34ARghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2PghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAWghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBHghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34ARghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2PghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4ghsaWEB
- seclists.org/bugtraq/2019/May/36ghsamailing-listx_refsource_BUGTRAQWEB
- typo3.org/security/advisory/typo3-psa-2019-007ghsaWEB
- typo3.org/security/advisory/typo3-psa-2019-007/mitrex_refsource_MISC
- www.drupal.org/sa-core-2019-007ghsax_refsource_CONFIRMWEB
- www.synology.com/security/advisory/Synology_SA_19_22ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.