logo

Database

XML injection (XXE) In symfony/serializer

Description

Symfony XML decoding attack vector through external entities The XMLEncoder component of Symfony 2.0.x fails to disable external entities when parsing XML. In the Symfony2 framework the XML class may be used to deserialize objects or as part of a client/server API. By using external entities it is possible to include arbitrary files from the file system.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GCVE-GHSA-j68w-pg49-f6vx

References

1. https://github.com/symfony/serializer/commit/0943a06a663b573d7319fc1acd56d3484eaaa4302. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/serializer/2012-02-24.yaml3. https://symfony.com/blog/security-release-symfony-2-0-11-released

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.