logo

Database

Lack of data validation In symfony/symfony

Description

Symfony collectionCascaded and collectionCascadedDeeply fields security bypass When using the Validator component, if Symfony\\Component\\Validator\\Mapping\\Cache\\ApcCache is enabled (or any other cache implementing Symfony\\Component\\Validator\\Mapping\\Cache\\CacheInterface), some information is lost during serialization (the collectionCascaded and the collectionCascadedDeeply fields).

As a consequence, arrays or traversable objects stored in fields using the @Valid constraint are not traversed by the validator as soon as the validator configuration is loaded from the cache.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2013-47512. NVD-2013-47513. OSV-2013-47514. GCVE-2013-4751

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-47512. https://exchange.xforce.ibmcloud.com/vulnerabilities/863643. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2013-4751.yaml4. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/validator/CVE-2013-4751.yaml5. https://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released6. https://web.archive.org/web/20200228181137/http://www.securityfocus.com/bid/617097. http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114380.html8. http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114436.html9. http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.