Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/40158?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40158?format=api", "vulnerability_id": "VCID-xdtu-22ad-63aq", "summary": "Attacker can read all files content on the server\nWhen a form is submitted by the user, the request handler classes of the Form component merge POST data (known as the `$_POST` array in plain PHP) and uploaded files data (known as the `$_FILES` array in plain PHP) into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a `FileType` is sent as normal `POST` data that could be interpreted as a locale file path on the server-side (for example, `file:///etc/passwd`). If the application did not perform any additional checks about the value submitted to the `FileType`, the contents of the given file on the server could have been exposed to the attacker.", "aliases": [ { "alias": "CVE-2017-16790" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56307?format=api", "purl": "pkg:composer/symfony/form@2.7.38", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-frbz-vpfe-vbh9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@2.7.38" }, { "url": "http://public2.vulnerablecode.io/api/packages/56308?format=api", "purl": "pkg:composer/symfony/form@2.8.31", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@2.8.31" }, { "url": "http://public2.vulnerablecode.io/api/packages/56309?format=api", "purl": "pkg:composer/symfony/form@3.2.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@3.2.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/56310?format=api", "purl": "pkg:composer/symfony/form@3.3.13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@3.3.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/56311?format=api", "purl": "pkg:composer/symfony/form@3.4.0-BETA5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@3.4.0-BETA5" }, { "url": "http://public2.vulnerablecode.io/api/packages/56312?format=api", "purl": "pkg:composer/symfony/form@4.0.0-BETA5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@4.0.0-BETA5" }, { "url": "http://public2.vulnerablecode.io/api/packages/55847?format=api", "purl": "pkg:composer/symfony/symfony@2.7.38", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-frbz-vpfe-vbh9" }, { "vulnerability": "VCID-mew1-9shg-mugs" }, { "vulnerability": "VCID-tx26-92jc-rkff" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.38" }, { "url": "http://public2.vulnerablecode.io/api/packages/55848?format=api", "purl": "pkg:composer/symfony/symfony@2.8.31", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.31" }, { "url": "http://public2.vulnerablecode.io/api/packages/55849?format=api", "purl": "pkg:composer/symfony/symfony@3.2.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/55850?format=api", "purl": "pkg:composer/symfony/symfony@3.3.13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/55851?format=api", "purl": "pkg:composer/symfony/symfony@3.4.0-BETA5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.0-BETA5" }, { "url": "http://public2.vulnerablecode.io/api/packages/55852?format=api", "purl": "pkg:composer/symfony/symfony@4.0.0-BETA5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.0-BETA5" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56299?format=api", "purl": "pkg:composer/symfony/form@2.7.0-alpha0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-xdtu-22ad-63aq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@2.7.0-alpha0" }, { "url": "http://public2.vulnerablecode.io/api/packages/56300?format=api", "purl": "pkg:composer/symfony/form@2.7.37", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-xdtu-22ad-63aq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@2.7.37" }, { "url": "http://public2.vulnerablecode.io/api/packages/56301?format=api", "purl": "pkg:composer/symfony/form@2.8.0-alpha0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-xdtu-22ad-63aq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@2.8.0-alpha0" }, { "url": "http://public2.vulnerablecode.io/api/packages/56302?format=api", "purl": "pkg:composer/symfony/form@2.8.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-xdtu-22ad-63aq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@2.8.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/56303?format=api", "purl": "pkg:composer/symfony/form@3.2.0-alpha0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-xdtu-22ad-63aq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@3.2.0-alpha0" }, { "url": "http://public2.vulnerablecode.io/api/packages/56304?format=api", "purl": "pkg:composer/symfony/form@3.2.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-xdtu-22ad-63aq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@3.2.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/56305?format=api", "purl": "pkg:composer/symfony/form@3.3.0-alpha0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-xdtu-22ad-63aq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@3.3.0-alpha0" }, { "url": "http://public2.vulnerablecode.io/api/packages/56306?format=api", "purl": "pkg:composer/symfony/form@3.3.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-xdtu-22ad-63aq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@3.3.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/55839?format=api", "purl": "pkg:composer/symfony/symfony@2.7.0-alpha0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-djnm-e9r4-c3f5" }, { "vulnerability": "VCID-xdtu-22ad-63aq" }, { "vulnerability": "VCID-xj13-fspe-hfgv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.0-alpha0" }, { "url": "http://public2.vulnerablecode.io/api/packages/55840?format=api", "purl": "pkg:composer/symfony/symfony@2.7.37", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-djnm-e9r4-c3f5" }, { "vulnerability": "VCID-dsbx-q641-4fc7" }, { "vulnerability": "VCID-xdtu-22ad-63aq" }, { "vulnerability": "VCID-xj13-fspe-hfgv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.37" }, { "url": "http://public2.vulnerablecode.io/api/packages/55841?format=api", "purl": "pkg:composer/symfony/symfony@2.8.0-alpha0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-djnm-e9r4-c3f5" }, { "vulnerability": "VCID-xdtu-22ad-63aq" }, { "vulnerability": "VCID-xj13-fspe-hfgv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.0-alpha0" }, { "url": "http://public2.vulnerablecode.io/api/packages/55842?format=api", "purl": "pkg:composer/symfony/symfony@2.8.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-djnm-e9r4-c3f5" }, { "vulnerability": "VCID-xdtu-22ad-63aq" }, { "vulnerability": "VCID-xj13-fspe-hfgv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/55843?format=api", "purl": "pkg:composer/symfony/symfony@3.2.0-alpha0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-djnm-e9r4-c3f5" }, { "vulnerability": "VCID-xdtu-22ad-63aq" }, { "vulnerability": "VCID-xj13-fspe-hfgv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.0-alpha0" }, { "url": "http://public2.vulnerablecode.io/api/packages/55844?format=api", "purl": "pkg:composer/symfony/symfony@3.2.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-djnm-e9r4-c3f5" }, { "vulnerability": "VCID-dsbx-q641-4fc7" }, { "vulnerability": "VCID-xdtu-22ad-63aq" }, { "vulnerability": "VCID-xj13-fspe-hfgv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/55845?format=api", "purl": "pkg:composer/symfony/symfony@3.3.0-alpha0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-djnm-e9r4-c3f5" }, { "vulnerability": "VCID-xdtu-22ad-63aq" }, { "vulnerability": "VCID-xj13-fspe-hfgv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.0-alpha0" }, { "url": "http://public2.vulnerablecode.io/api/packages/55846?format=api", "purl": "pkg:composer/symfony/symfony@3.3.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-djnm-e9r4-c3f5" }, { "vulnerability": "VCID-dsbx-q641-4fc7" }, { "vulnerability": "VCID-xdtu-22ad-63aq" }, { "vulnerability": "VCID-xj13-fspe-hfgv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.12" } ], "references": [ { "reference_url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790", "reference_id": "", "reference_type": "", "scores": [], "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790" }, { "reference_url": "https://github.com/symfony/symfony/pull/24993", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/symfony/symfony/pull/24993" }, { "reference_url": "http://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files", "reference_id": "CVE-2017-16790-ENSURE-THAT-SUBMITTED-DATA-ARE-UPLOADED-FILES", "reference_type": "", "scores": [], "url": "http://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files" } ], "weaknesses": [ { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 20, "name": "Improper Input Validation", "description": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." } ], "exploits": [], "severity_range_score": null, "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xdtu-22ad-63aq" }