Homepage
About Snyk

Information Exposure Affecting symfony/symfony package, versions >=2.7.0, <2.7.38 >=2.8.0, <2.8.31 >=3, <3.1.0 >=3.1.0, <3.2.0 >=3.2.0, <3.2.14 >=3.3.0, <3.3.13 >=3.4-BETA0, <3.4-BETA5 >=4.0-BETA0, <4.0-BETA5

0.0
medium

Snyk CVSS

    Attack Complexity Low
    Confidentiality High

    Threat Intelligence

    EPSS 0.06% (24th percentile)
Expand this section
NVD
6.5 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-SYMFONYSYMFONY-70376
  • published 4 Dec 2017
  • disclosed 16 Nov 2017
  • credit Ondrej Exner
Report a new vulnerability Found a mistake?

Introduced: 16 Nov 2017

CVE-2017-16790 Open this link in a new tab
CWE-200 Open this link in a new tab

How to fix?

Upgrade symfony/symfony to versions 2.7.38, 2.8.31, 3.1.0, 3.2.0, 3.2.14, 3.3.13 higher.

Overview

Affected versions of symfony/symfony are vulnerable to Information Exposure.

When a form is submitted by the user, the request handler classes of the Form component merge POST data (known as the $_POST array in plain PHP) and uploaded files data (known as the $_FILES array in plain PHP) into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files.

A user can send a crafted HTTP request where the value of a FileType is sent as normal POST data that could be interpreted as a locale file path on the server-side (for example, file:///etc/passwd). If the application did not perform any additional checks about the value submitted to the FileType, the contents of the given file on the server could have been exposed to the attacker.