Lucene search

K

GoogleOSV:GHSA-MMCV-FVQ8-R9X3

HistoryMay 30, 2024 - 12:17 p.m.

Symfony XML decoding attack vector through external entities

2024-05-3012:17:20

Google

osv.dev

8

xml

xmlencoder

symfony2

vulnerability

parsing

attack

AI Score

7.2

Confidence

High

The XMLEncoder component of Symfony 2.0.x fails to disable external entities when parsing XML. In the Symfony2 framework the XML class may be used to deserialize objects or as part of a client/server API. By using external entities it is possible to include arbitrary files from the file system.

References

github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/2012-02-24.yaml

github.com/symfony/symfony

github.com/symfony/symfony/commit/3e64d36cbdc34acaa82e0e6318112cd2eacb6fec

symfony.com/blog/security-release-symfony-2-0-11-released

AI Score

7.2

Confidence

High