Packagist (Composer) package
typo3/phar-stream-wrapper
pkg:composer/typo3/phar-stream-wrapper
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-11831 | — | >= 2.0.0, < 2.1.1 | 2.1.1 | May 9, 2019 | The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL. | ||
| CVE-2019-11830 | — | >= 2.0.0, < 2.1.1 | 2.1.1 | May 9, 2019 | PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism. |
- CVE-2019-11831May 9, 2019affected >= 2.0.0, < 2.1.1fixed 2.1.1
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
- CVE-2019-11830May 9, 2019affected >= 2.0.0, < 2.1.1fixed 2.1.1
PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism.