Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/symfony/symfony@2.7.38
Typecomposer
Namespacesymfony
Namesymfony
Version2.7.38
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.7.49
Latest_non_vulnerable_version8.0.5
Affected_by_vulnerabilities
0
url VCID-frbz-vpfe-vbh9
vulnerability_id VCID-frbz-vpfe-vbh9
summary 
Unrestricted Upload of File with Dangerous Type
When using the scalar type hint `string` in a setter method (e.g. `setName(string$name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution.
references
0
reference_url https://symfony.com/cve-2018-19789
reference_id CVE-2018-19789
reference_type
scores
url https://symfony.com/cve-2018-19789
fixed_packages
0
url pkg:composer/symfony/symfony@2.7.50
purl pkg:composer/symfony/symfony@2.7.50
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.50
1
url pkg:composer/symfony/symfony@2.8.49
purl pkg:composer/symfony/symfony@2.8.49
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.49
2
url pkg:composer/symfony/symfony@3.4.20
purl pkg:composer/symfony/symfony@3.4.20
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.20
3
url pkg:composer/symfony/symfony@4.0.15
purl pkg:composer/symfony/symfony@4.0.15
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.15
4
url pkg:composer/symfony/symfony@4.1.9
purl pkg:composer/symfony/symfony@4.1.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.9
5
url pkg:composer/symfony/symfony@4.2.1
purl pkg:composer/symfony/symfony@4.2.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.1
aliases CVE-2018-19789
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-frbz-vpfe-vbh9
1
url VCID-mew1-9shg-mugs
vulnerability_id VCID-mew1-9shg-mugs
summary 
URL Redirection to Untrusted Site (Open Redirect)
By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.
references
0
reference_url https://symfony.com/cve-2018-19790
reference_id CVE-2018-19790
reference_type
scores
url https://symfony.com/cve-2018-19790
fixed_packages
0
url pkg:composer/symfony/symfony@2.7.50
purl pkg:composer/symfony/symfony@2.7.50
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.50
1
url pkg:composer/symfony/symfony@2.8.49
purl pkg:composer/symfony/symfony@2.8.49
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.49
2
url pkg:composer/symfony/symfony@3.4.20
purl pkg:composer/symfony/symfony@3.4.20
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.20
3
url pkg:composer/symfony/symfony@4.0.15
purl pkg:composer/symfony/symfony@4.0.15
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.15
4
url pkg:composer/symfony/symfony@4.1.9
purl pkg:composer/symfony/symfony@4.1.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.9
5
url pkg:composer/symfony/symfony@4.2.1
purl pkg:composer/symfony/symfony@4.2.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.1
aliases CVE-2018-19790
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mew1-9shg-mugs
2
url VCID-tx26-92jc-rkff
vulnerability_id VCID-tx26-92jc-rkff
summary 
URL Redirection to Untrusted Site (Open Redirect)
The security handlers in the Security component in Symfony have an Open redirect vulnerability when `security.http_utils` is inlined by a container.
references
0
reference_url https://symfony.com/cve-2018-11408
reference_id CVE-2018-11408
reference_type
scores
url https://symfony.com/cve-2018-11408
fixed_packages
0
url pkg:composer/symfony/symfony@2.7.48
purl pkg:composer/symfony/symfony@2.7.48
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1y96-v19f-tkgg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.48
1
url pkg:composer/symfony/symfony@2.8.41
purl pkg:composer/symfony/symfony@2.8.41
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.41
2
url pkg:composer/symfony/symfony@3.4.11
purl pkg:composer/symfony/symfony@3.4.11
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.11
3
url pkg:composer/symfony/symfony@4.0.11
purl pkg:composer/symfony/symfony@4.0.11
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.11
aliases CVE-2018-11408
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tx26-92jc-rkff
Fixing_vulnerabilities
0
url VCID-djnm-e9r4-c3f5
vulnerability_id VCID-djnm-e9r4-c3f5
summary `DefaultAuthenticationSuccessHandler` or `DefaultAuthenticationFailureHandler` take the content of the `_target_path` parameter and generate a redirect response but no check is performed on the path, which could be an absolute URL to an external domain, opening redirect vulnerability. Open redirect vulnerability are not too much considered but they can be exploited for example to mount effective phishing attacks.
references
0
reference_url http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652
reference_id
reference_type
scores
url http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652
1
reference_url https://github.com/symfony/symfony/pull/24995
reference_id
reference_type
scores
url https://github.com/symfony/symfony/pull/24995
2
reference_url https://symfony.com/cve-2017-16652
reference_id CVE-2017-16652
reference_type
scores
url https://symfony.com/cve-2017-16652
3
reference_url http://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers
reference_id CVE-2017-16652-OPEN-REDIRECT-VULNERABILITY-ON-SECURITY-HANDLERS
reference_type
scores
url http://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers
fixed_packages
0
url pkg:composer/symfony/symfony@2.7.38
purl pkg:composer/symfony/symfony@2.7.38
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-frbz-vpfe-vbh9
1
vulnerability VCID-mew1-9shg-mugs
2
vulnerability VCID-tx26-92jc-rkff
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.38
1
url pkg:composer/symfony/symfony@2.8.31
purl pkg:composer/symfony/symfony@2.8.31
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.31
2
url pkg:composer/symfony/symfony@3.2.14
purl pkg:composer/symfony/symfony@3.2.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.14
3
url pkg:composer/symfony/symfony@3.3.13
purl pkg:composer/symfony/symfony@3.3.13
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.13
4
url pkg:composer/symfony/symfony@3.4.0-BETA5
purl pkg:composer/symfony/symfony@3.4.0-BETA5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.0-BETA5
5
url pkg:composer/symfony/symfony@4.0.0-BETA5
purl pkg:composer/symfony/symfony@4.0.0-BETA5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.0-BETA5
aliases CVE-2017-16652
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-djnm-e9r4-c3f5
1
url VCID-dsbx-q641-4fc7
vulnerability_id VCID-dsbx-q641-4fc7
summary 
Cross-Site Request Forgery (CSRF)
The current implementation of CSRF protection in Symfony does not use different tokens for HTTP and HTTPS.
references
0
reference_url http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16653
reference_id
reference_type
scores
url http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16653
1
reference_url https://github.com/symfony/symfony/pull/24992
reference_id
reference_type
scores
url https://github.com/symfony/symfony/pull/24992
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-16653
reference_id CVE-2017-16653
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2017-16653
3
reference_url https://symfony.com/cve-2017-16653
reference_id CVE-2017-16653
reference_type
scores
url https://symfony.com/cve-2017-16653
fixed_packages
0
url pkg:composer/symfony/symfony@2.7.38
purl pkg:composer/symfony/symfony@2.7.38
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-frbz-vpfe-vbh9
1
vulnerability VCID-mew1-9shg-mugs
2
vulnerability VCID-tx26-92jc-rkff
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.38
1
url pkg:composer/symfony/symfony@3.2.14
purl pkg:composer/symfony/symfony@3.2.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.14
2
url pkg:composer/symfony/symfony@3.3.13
purl pkg:composer/symfony/symfony@3.3.13
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.13
3
url pkg:composer/symfony/symfony@4.0.0
purl pkg:composer/symfony/symfony@4.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1y96-v19f-tkgg
1
vulnerability VCID-23hr-yznx-c3fb
2
vulnerability VCID-6c6t-kmb3-2qcm
3
vulnerability VCID-7m45-bvbn-4qd3
4
vulnerability VCID-ef86-hqv4-6kaz
5
vulnerability VCID-frbz-vpfe-vbh9
6
vulnerability VCID-mew1-9shg-mugs
7
vulnerability VCID-nsuz-7sdv-abef
8
vulnerability VCID-qqd1-smb1-sbe8
9
vulnerability VCID-tx26-92jc-rkff
10
vulnerability VCID-uuk9-e5qy-rfgf
11
vulnerability VCID-vyug-krcw-jyef
12
vulnerability VCID-zeut-9wfp-q7et
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.0
aliases CVE-2017-16653
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dsbx-q641-4fc7
2
url VCID-xdtu-22ad-63aq
vulnerability_id VCID-xdtu-22ad-63aq
summary 
Attacker can read all files content on the server
When a form is submitted by the user, the request handler classes of the Form component merge POST data (known as the `$_POST` array in plain PHP) and uploaded files data (known as the `$_FILES` array in plain PHP) into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a `FileType` is sent as normal `POST` data that could be interpreted as a locale file path on the server-side (for example, `file:///etc/passwd`). If the application did not perform any additional checks about the value submitted to the `FileType`, the contents of the given file on the server could have been exposed to the attacker.
references
0
reference_url http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790
reference_id
reference_type
scores
url http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790
1
reference_url https://github.com/symfony/symfony/pull/24993
reference_id
reference_type
scores
url https://github.com/symfony/symfony/pull/24993
2
reference_url http://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files
reference_id CVE-2017-16790-ENSURE-THAT-SUBMITTED-DATA-ARE-UPLOADED-FILES
reference_type
scores
url http://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files
fixed_packages
0
url pkg:composer/symfony/symfony@2.7.38
purl pkg:composer/symfony/symfony@2.7.38
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-frbz-vpfe-vbh9
1
vulnerability VCID-mew1-9shg-mugs
2
vulnerability VCID-tx26-92jc-rkff
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.38
1
url pkg:composer/symfony/symfony@2.8.31
purl pkg:composer/symfony/symfony@2.8.31
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.31
2
url pkg:composer/symfony/symfony@3.2.14
purl pkg:composer/symfony/symfony@3.2.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.14
3
url pkg:composer/symfony/symfony@3.3.13
purl pkg:composer/symfony/symfony@3.3.13
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.13
4
url pkg:composer/symfony/symfony@3.4.0-BETA5
purl pkg:composer/symfony/symfony@3.4.0-BETA5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.0-BETA5
5
url pkg:composer/symfony/symfony@4.0.0-BETA5
purl pkg:composer/symfony/symfony@4.0.0-BETA5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.0-BETA5
aliases CVE-2017-16790
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xdtu-22ad-63aq
3
url VCID-xj13-fspe-hfgv
vulnerability_id VCID-xj13-fspe-hfgv
summary 
An attacker can navigate to arbitrary directories via the dot-dot-slash attack
This package includes various bundle readers that are used to read resource bundles from the local filesystem. The `read()` methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a `URL` parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack.
references
0
reference_url http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654
reference_id
reference_type
scores
url http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654
1
reference_url https://github.com/symfony/symfony/pull/24994
reference_id
reference_type
scores
url https://github.com/symfony/symfony/pull/24994
2
reference_url http://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths
reference_id CVE-2017-16654-INTL-BUNDLE-READERS-BREAKING-OUT-OF-PATHS
reference_type
scores
url http://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths
fixed_packages
0
url pkg:composer/symfony/symfony@2.7.38
purl pkg:composer/symfony/symfony@2.7.38
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-frbz-vpfe-vbh9
1
vulnerability VCID-mew1-9shg-mugs
2
vulnerability VCID-tx26-92jc-rkff
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.38
1
url pkg:composer/symfony/symfony@2.8.31
purl pkg:composer/symfony/symfony@2.8.31
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.31
2
url pkg:composer/symfony/symfony@3.2.14
purl pkg:composer/symfony/symfony@3.2.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.14
3
url pkg:composer/symfony/symfony@3.3.13
purl pkg:composer/symfony/symfony@3.3.13
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.13
4
url pkg:composer/symfony/symfony@3.4.0-BETA5
purl pkg:composer/symfony/symfony@3.4.0-BETA5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.0-BETA5
5
url pkg:composer/symfony/symfony@4.0.0-BETA5
purl pkg:composer/symfony/symfony@4.0.0-BETA5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.0-BETA5
aliases CVE-2017-16654
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xj13-fspe-hfgv
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.38