Fluid Attacks Database

Description

Symphony Vulnerable to PHP Code Injection via YAML Parsing The Yaml::parse function in Symfony 2.0.x before 2.0.22 remote attackers to execute arbitrary PHP code via a PHP file, a different vulnerability than CVE-2013-1397.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	symfony/symfony	>=2.0.0 <2.0.22	2.0.22
packagist	symfony/yaml	>=2.0.0 <2.0.22	2.0.22

Aliases

1. CVE-2013-13482. NVD-2013-13483. OSV-2013-13484. GCVE-2013-1348

References

1. https://github.com/symfony/symfony/commit/ac756bf39e646b4e130fad058d10a0228dbd97792. https://exchange.xforce.ibmcloud.com/vulnerabilities/815503. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2013-1348.yaml4. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/yaml/CVE-2013-1348.yaml5. https://symfony.com/blog/security-release-symfony-2-0-22-and-2-1-7-released6. https://web.archive.org/web/20150612022223/http://www.securityfocus.com/bid/57574

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.