Fluid Attacks Database

Description

Symfony Arbitrary PHP code Execution Symfony 2.0.x before 2.0.22, 2.1.x before 2.1.7, and 2.2.x remote attackers to execute arbitrary PHP code via a serialized PHP object to the (1) Yaml::parse or (2) Yaml\Parser::parse function, a different vulnerability than CVE-2013-1348.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	symfony/yaml	>=2.0.0 <2.0.22 \|\| >=2.1.0 <2.1.7 \|\| >=2.2.0-beta1 <2.2.0-beta2	2.0.22, 2.1.7, 2.2.0-beta2
packagist	symfony/symfony	>=2.2.0-beta1 <2.2.0-beta2 \|\| >=2.0.0 <2.0.22 \|\| >=2.1.0 <2.1.7	2.2.0-beta2, 2.0.22, 2.1.7

Aliases

1. CVE-2013-13972. NVD-2013-13973. OSV-2013-13974. GCVE-2013-1397

References

1. https://github.com/symfony/symfony/commit/ba6e3159c0eeb3b6e21db32fce8fa2535cb3aa772. https://exchange.xforce.ibmcloud.com/vulnerabilities/815513. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2013-1397.yaml4. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/yaml/CVE-2013-1397.yaml5. https://symfony.com/blog/security-release-symfony-2-0-22-and-2-1-7-released6. http://symfony.com/blog/security-release-symfony-2-0-22-and-2-1-7-released

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.