Symfony XML decoding attack vector through external entities

2024-05-3000:52:20

CWE-611

GitHub Advisory Database

github.com

symfony

xmlencoder

xml parsing

7.2 High

AI Score

Confidence

High

JSON

The XMLEncoder component of Symfony 2.0.x fails to disable external entities when parsing XML. In the Symfony2 framework the XML class may be used to deserialize objects or as part of a client/server API. By using external entities it is possible to include arbitrary files from the file system.

Affected configurations

Vulners

Node

symfonytwigRange<2.0.11

CPENameOperatorVersion
symfony/serializerlt2.0.11

CPE	Name	Operator	Version
	symfony/serializer	lt	2.0.11

References

github.com/advisories/GHSA-j68w-pg49-f6vx

github.com/FriendsOfPHP/security-advisories/blob/master/symfony/serializer/2012-02-24.yaml

github.com/symfony/serializer/commit/0943a06a663b573d7319fc1acd56d3484eaaa430

symfony.com/blog/security-release-symfony-2-0-11-released

7.2 High

AI Score

Confidence

High

JSON