Information Exposure Affecting symfony/symfony package, versions >=2.7.0, <2.7.38>=2.8.0, <2.8.31>=3, <3.1.0>=3.1.0, <3.2.0>=3.2.0, <3.2.14>=3.3.0, <3.3.13>=3.4-BETA0, <3.4-BETA5>=4.0-BETA0, <4.0-BETA5
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-SYMFONYSYMFONY-70376
- published4 Dec 2017
- disclosed16 Nov 2017
- creditOndrej Exner
Introduced: 16 Nov 2017
CVE-2017-16790 (opens in a new tab)How to fix?
Upgrade symfony/symfony to versions 2.7.38, 2.8.31, 3.1.0, 3.2.0, 3.2.14, 3.3.13 higher.
Overview
Affected versions of symfony/symfony are vulnerable to Information Exposure.
When a form is submitted by the user, the request handler classes of the Form component merge POST data (known as the $_POST array in plain PHP) and uploaded files data (known as the $_FILES array in plain PHP) into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files.
A user can send a crafted HTTP request where the value of a FileType is sent as normal POST data that could be interpreted as a locale file path on the server-side (for example, file:///etc/passwd). If the application did not perform any additional checks about the value submitted to the FileType, the contents of the given file on the server could have been exposed to the attacker.