CVE-2017-16654

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-16654

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16654.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2017-16654

Aliases

GHSA-c49r-8gj6-768r

Related

Published

2018-08-06T21:29:00Z

Modified

2025-02-19T02:23:11.332753Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack, aka Directory Traversal.

References

Affected packages

Debian:11 / symfony

Package

Name: symfony
Purl: pkg:deb/debian/symfony?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.0+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / symfony

Package

Name: symfony
Purl: pkg:deb/debian/symfony?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.0+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / symfony

Package

Name: symfony
Purl: pkg:deb/debian/symfony?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.0+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/symfony/security-http

Affected ranges

Type: GIT
Repo: https://github.com/symfony/security-http
Events: Introduced

a6209fac5e5984ba49d8b5a1af5e5c118a1c183e

Last affected

4fe1764b69b5e7e0d74656b5214a9026313e23ab

Introduced

760872233cd3147870184697e3481ffa492ac2fb

Last affected

a5c3f701b864a2bb1d6b71b859afd3efe3b9e43d

Introduced

de2f3d51160791ef254010953dbde178fee9845f

Last affected

e23595473a10892462e61443f07d19210ab505af

Type: GIT
Repo: https://github.com/symfony/symfony
Events: Introduced

5a7e31c48e7cd4831efa409fffb661beb9995174

Last affected

1452970fc29131776505f684bd81d7a33cbaada4

Introduced

9975b1eca3de4db792a2c3e4e16f676a4aadcd46

Last affected

c166da413153ecbb4b83c0415f7df13c250c3342

Introduced

b96a144bc875684f3338f697687147a2696d73eb

Last affected

e1aabd6f50fb4586b330f9ac54b4bcdf7352a0f8

Affected versions

v2.*

v2.3.30

v2.3.31

v2.3.32

v2.3.33

v2.3.34

v2.3.35

v2.3.36

v2.3.37

v2.3.38

v2.3.39

v2.3.40

v2.3.41

v2.3.42

v2.6.10

v2.6.11

v2.7.0

v2.7.1

v2.7.10

v2.7.11

v2.7.12

v2.7.13

v2.7.14

v2.7.15

v2.7.16

v2.7.17

v2.7.18

v2.7.19

v2.7.2

v2.7.20

v2.7.21

v2.7.22

v2.7.23

v2.7.24

v2.7.25

v2.7.26

v2.7.27

v2.7.28

v2.7.29

v2.7.3

v2.7.30

v2.7.31

v2.7.32

v2.7.33

v2.7.34

v2.7.35

v2.7.36

v2.7.37

v2.7.4

v2.7.5

v2.7.6

v2.7.7

v2.7.8

v2.7.9

v2.8.0

v2.8.0-BETA1

v2.8.1

v2.8.10

v2.8.11

v2.8.12

v2.8.13

v2.8.14

v2.8.15

v2.8.16

v2.8.17

v2.8.18

v2.8.19

v2.8.2

v2.8.20

v2.8.21

v2.8.22

v2.8.23

v2.8.24

v2.8.25

v2.8.26

v2.8.27

v2.8.28

v2.8.29

v2.8.3

v2.8.4

v2.8.5

v2.8.6

v2.8.7

v2.8.8

v2.8.9

v3.*

v3.0.0

v3.0.0-BETA1

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.1.0

v3.1.0-BETA1

v3.1.0-RC1

v3.1.1

v3.1.10

v3.1.2

v3.1.3

v3.1.4

v3.1.5

v3.1.6

v3.1.7

v3.1.8

v3.1.9

v3.2.0

v3.2.0-BETA1

v3.2.0-RC1

v3.2.0-RC2

v3.2.1

v3.2.10

v3.2.11

v3.2.12

v3.2.13

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.2.7

v3.2.8

v3.2.9

v3.3.0

v3.3.1

v3.3.10

v3.3.11

v3.3.12

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8

v3.3.9