CVE-2018-19789 – symfony/form

Package

Manager: composer
Name: symfony/form
Vulnerable Version: >=2.7.0 <2.7.50 || >=2.8.0 <2.8.49 || >=3.0.0 <3.4.20 || >=4.0.0 <4.0.15 || >=4.1.0 <4.1.9 || >=4.2.0 <4.2.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00921 pctl0.75105

Details

Symfony Path Disclosure An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint `string` in a setter method (e.g. `setName(string $name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution.

Metadata

Created: 2022-05-14T01:04:20Z
Modified: 2023-10-06T17:56:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x3cf-w64x-4cp2/GHSA-x3cf-w64x-4cp2.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-x3cf-w64x-4cp2
Finding: F027
Auto approve: 1