CVE-2019-11831

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-11831
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11831.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-11831
Aliases
Downstream
Published
2019-05-09T04:29:01.100Z
Modified
2026-02-07T05:09:09.166324Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

References

Affected packages

Git
github.com/drupal/drupal

Affected ranges

Type
GIT
Repo
https://github.com/drupal/drupal
Events
Introduced
497914920385b7016ac9c9367e0198530787adf2
Fixed
09a33aa82ad15d5179322199f694f1fa7e6fb3e2
Introduced
17ba30046ed57677de4feff8d07354890b40efdb
Fixed
553207a347f92dce802d7ea9e4d9602c5b090775
Introduced
9b04d294324d9c76be4b596de4316cb8804e8223
Fixed
9d60ac244d73ffd69d651f52d8642307c22f633a

Affected versions

7.*
7.0
7.1
7.10
7.11
7.12
7.13
7.14
7.15
7.16
7.17
7.18
7.19
7.2
7.20
7.21
7.22
7.23
7.24
7.25
7.26
7.27
7.28
7.29
7.3
7.30
7.31
7.32
7.33
7.34
7.35
7.36
7.37
7.38
7.39
7.4
7.40
7.41
7.42
7.43
7.44
7.5
7.50
7.51
7.52
7.53
7.54
7.55
7.56
7.57
7.58
7.59
7.6
7.60
7.61
7.62
7.63
7.64
7.65
7.66
7.7
7.8
7.9
8.*
8.0-alpha10
8.0-alpha11
8.0-alpha12
8.0-alpha13
8.0-alpha2
8.0-alpha3
8.0-alpha4
8.0-alpha5
8.0-alpha6
8.0-alpha7
8.0-alpha8
8.0-alpha9
8.0.0
8.0.0-alpha14
8.0.0-alpha15
8.0.0-beta1
8.0.0-beta10
8.0.0-beta11
8.0.0-beta12
8.0.0-beta13
8.0.0-beta14
8.0.0-beta15
8.0.0-beta16
8.0.0-beta2
8.0.0-beta3
8.0.0-beta4
8.0.0-beta5
8.0.0-beta6
8.0.0-beta7
8.0.0-beta9
8.0.0-rc1
8.0.0-rc2
8.0.0-rc3
8.0.0-rc4
8.1.0-beta1
8.6.0
8.6.0-alpha1
8.6.0-beta2
8.6.0-rc1
8.6.1
8.6.10
8.6.11
8.6.12
8.6.13
8.6.14
8.6.15
8.6.2
8.6.3
8.6.4
8.6.5
8.6.6
8.6.7
8.6.8
8.6.9
8.7.0
8.7.0-alpha1
8.7.0-alpha2
8.7.0-beta1
8.7.0-beta2
8.7.0-rc1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11831.json"
github.com/joomla/joomla-cms

Affected ranges

Type
GIT
Repo
https://github.com/joomla/joomla-cms
Events
Introduced
c1acb7e6973bd549fe35a02659fe851ff1a37dfe
Fixed
21489b49ec8fe20a9a9ebbc2bb04f19b4df4d5ef

Affected versions

3.*
3.0.0
3.0.1
3.0.3
3.1.0_beta1
3.1.0_beta2
3.1.0_beta3
3.1.0_beta4
3.1.0_beta5

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11831.json"
github.com/typo3/phar-stream-wrapper

Affected ranges

Type
GIT
Repo
https://github.com/typo3/phar-stream-wrapper
Events
Fixed
e438b0c78652b33407983eb29d215a1a3f68f6f3
Introduced
369f83042ea2e57d98dd04ce4c7318d008497a29
Fixed
e438b0c78652b33407983eb29d215a1a3f68f6f3
Fixed
fff6f5e037882f816cd41a9f5ccd8d8f97bfdebf
Introduced
072007eb3d2c8864aa7535fe5bd0349b5ba765f6
Fixed
fff6f5e037882f816cd41a9f5ccd8d8f97bfdebf

Affected versions

v.*
v.2.1.0
v2.*
v2.0.0
v2.0.1
v2.1.0
v3.*
v3.0.0
v3.0.1
v3.1.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11831.json"