VYPR

Packagist (Composer) package

typo3/phar-stream-wrapper

pkg:composer/typo3/phar-stream-wrapper

Vulnerabilities (2)

  • CVE-2019-11831May 9, 2019
    affected >= 2.0.0, < 2.1.1fixed 2.1.1

    The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

  • CVE-2019-11830May 9, 2019
    affected >= 2.0.0, < 2.1.1fixed 2.1.1

    PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism.