Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/symfony/intl@3.3.12

Type composer

Namespace symfony

Name intl

Version 3.3.12

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 3.3.13

Latest_non_vulnerable_version 4.0.0-BETA5

Affected_by_vulnerabilities

url VCID-xj13-fspe-hfgv

vulnerability_id VCID-xj13-fspe-hfgv

summary

An attacker can navigate to arbitrary directories via the dot-dot-slash attack
This package includes various bundle readers that are used to read resource bundles from the local filesystem. The `read()` methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a `URL` parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack.

references

reference_url	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654
reference_id
reference_type
scores
url	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654

reference_url	https://github.com/symfony/symfony/pull/24994
reference_id
reference_type
scores
url	https://github.com/symfony/symfony/pull/24994

reference_url	http://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths
reference_id	CVE-2017-16654-INTL-BUNDLE-READERS-BREAKING-OUT-OF-PATHS
reference_type
scores
url	http://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths

fixed_packages

url	pkg:composer/symfony/intl@3.3.13
purl	pkg:composer/symfony/intl@3.3.13
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/symfony/intl@3.3.13

url	pkg:composer/symfony/intl@3.4.0-BETA5
purl	pkg:composer/symfony/intl@3.4.0-BETA5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/symfony/intl@3.4.0-BETA5

url	pkg:composer/symfony/intl@4.0.0-BETA5
purl	pkg:composer/symfony/intl@4.0.0-BETA5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/symfony/intl@4.0.0-BETA5

aliases CVE-2017-16654

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xj13-fspe-hfgv

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/intl@3.3.12

Package Instance