Symfony Path Disclosure
Moderate severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Feb 6, 2024
Package
Affected versions
>= 2.7.0, < 2.7.50
>= 2.8.0, < 2.8.49
>= 3.0.0, < 3.4.20
>= 4.0.0, < 4.0.15
>= 4.1.0, < 4.1.9
>= 4.2.0, < 4.2.1
Patched versions
2.7.50
2.8.49
3.4.20
4.0.15
4.1.9
4.2.1
>= 2.7.0, < 2.7.50
>= 2.8.0, < 2.8.49
>= 3.0.0, < 3.4.20
>= 4.0.0, < 4.0.15
>= 4.1.0, < 4.1.9
>= 4.2.0, < 4.2.1
2.7.50
2.8.49
3.4.20
4.0.15
4.1.9
4.2.1
Description
Published by the National Vulnerability Database
Dec 18, 2018
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Jul 24, 2023
Last updated
Feb 6, 2024
An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint
stringin a setter method (e.g.setName(string $name)) of a class that's thedata_classof a form, and when a file upload is submitted to the corresponding field instead of a normal text input, thenUploadedFile::__toString()is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution.References