Symfony Directory Traversal
High severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Feb 7, 2024
Package
Affected versions
>= 2.7.0, < 2.7.38
>= 2.8.0, < 2.8.31
>= 3.0.0, < 3.2.14
>= 3.3.0, < 3.3.13
Patched versions
2.7.38
2.8.31
3.2.14
3.3.13
>= 2.7.0, < 2.7.38
>= 2.8.0, < 2.8.31
>= 3.0.0, < 3.2.14
>= 3.3.0, < 3.3.13
2.7.38
2.8.31
3.2.14
3.3.13
Description
Published by the National Vulnerability Database
Aug 6, 2018
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Jul 26, 2023
Last updated
Feb 7, 2024
An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack, aka Directory Traversal.
References