CVE-2019-11831
CRITICALPharStreamWrapper <2.1.1-3.1.1 - Path Traversal
Title source: llmDescription
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
References (15)
Scores
CVSS v3
9.8
EPSS
0.1048
EPSS Percentile
93.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Classification
CWE
CWE-22
CWE-502
Status
published
Affected Products (11)
typo3/pharstreamwrapper
< 2.1.1
debian/debian_linux
debian/debian_linux
fedoraproject/fedora
fedoraproject/fedora
fedoraproject/fedora
drupal/drupal
< 7.67
joomla/joomla\!
< 3.9.5
typo3/phar-stream-wrapper
< 2.1.1Packagist
drupal/core
< 7.67.0Packagist
drupal/drupal
< 7.67.0Packagist
Timeline
Published
May 09, 2019
Tracked Since
Feb 18, 2026