{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57794?format=json","vulnerability_id":"VCID-hsez-yx7s-uuhn","summary":"PharStreamWrapper for Typo3 unsafe deserialization vulnerability\nPharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism.","aliases":[{"alias":"CVE-2019-11830"},{"alias":"GHSA-3hxw-g85p-qgxm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36415?format=json","purl":"pkg:composer/typo3/phar-stream-wrapper@2.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/phar-stream-wrapper@2.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/36416?format=json","purl":"pkg:composer/typo3/phar-stream-wrapper@3.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/phar-stream-wrapper@3.1.1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36413?format=json","purl":"pkg:composer/typo3/phar-stream-wrapper@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-349d-w26k-mqfw"},{"vulnerability":"VCID-4ehm-4k5n-mkfk"},{"vulnerability":"VCID-chq1-2qx1-qqe9"},{"vulnerability":"VCID-ddsb-8rn2-x7gb"},{"vulnerability":"VCID-hsez-yx7s-uuhn"},{"vulnerability":"VCID-xvf6-5tjp-b7bu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/phar-stream-wrapper@2.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/59561?format=json","purl":"pkg:composer/typo3/phar-stream-wrapper@2.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-349d-w26k-mqfw"},{"vulnerability":"VCID-ddsb-8rn2-x7gb"},{"vulnerability":"VCID-hsez-yx7s-uuhn"},{"vulnerability":"VCID-xvf6-5tjp-b7bu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/phar-stream-wrapper@2.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/185985?format=json","purl":"pkg:composer/typo3/phar-stream-wrapper@2.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-349d-w26k-mqfw"},{"vulnerability":"VCID-ddsb-8rn2-x7gb"},{"vulnerability":"VCID-hsez-yx7s-uuhn"},{"vulnerability":"VCID-xvf6-5tjp-b7bu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/phar-stream-wrapper@2.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/36414?format=json","purl":"pkg:composer/typo3/phar-stream-wrapper@3.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-349d-w26k-mqfw"},{"vulnerability":"VCID-4ehm-4k5n-mkfk"},{"vulnerability":"VCID-chq1-2qx1-qqe9"},{"vulnerability":"VCID-ddsb-8rn2-x7gb"},{"vulnerability":"VCID-hsez-yx7s-uuhn"},{"vulnerability":"VCID-xvf6-5tjp-b7bu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/phar-stream-wrapper@3.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/32479?format=json","purl":"pkg:composer/typo3/phar-stream-wrapper@3.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-349d-w26k-mqfw"},{"vulnerability":"VCID-ddsb-8rn2-x7gb"},{"vulnerability":"VCID-hsez-yx7s-uuhn"},{"vulnerability":"VCID-xvf6-5tjp-b7bu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/phar-stream-wrapper@3.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/185986?format=json","purl":"pkg:composer/typo3/phar-stream-wrapper@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-349d-w26k-mqfw"},{"vulnerability":"VCID-ddsb-8rn2-x7gb"},{"vulnerability":"VCID-hsez-yx7s-uuhn"},{"vulnerability":"VCID-xvf6-5tjp-b7bu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/phar-stream-wrapper@3.1.0"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11830","reference_id":"","reference_type":"","scores":[{"value":"0.02401","scoring_system":"epss","scoring_elements":"0.85058","published_at":"2026-04-09T12:55:00Z"},{"value":"0.02401","scoring_system":"epss","scoring_elements":"0.85224","published_at":"2026-05-14T12:55:00Z"},{"value":"0.02401","scoring_system":"epss","scoring_elements":"0.8519","published_at":"2026-05-12T12:55:00Z"},{"value":"0.02401","scoring_system":"epss","scoring_elements":"0.85176","published_at":"2026-05-11T12:55:00Z"},{"value":"0.02401","scoring_system":"epss","scoring_elements":"0.8518","published_at":"2026-05-09T12:55:00Z"},{"value":"0.02401","scoring_system":"epss","scoring_elements":"0.85159","published_at":"2026-05-07T12:55:00Z"},{"value":"0.02401","scoring_system":"epss","scoring_elements":"0.85134","published_at":"2026-05-05T12:55:00Z"},{"value":"0.02401","scoring_system":"epss","scoring_elements":"0.8512","published_at":"2026-04-29T12:55:00Z"},{"value":"0.02401","scoring_system":"epss","scoring_elements":"0.85123","published_at":"2026-04-26T12:55:00Z"},{"value":"0.02401","scoring_system":"epss","scoring_elements":"0.85114","published_at":"2026-04-24T12:55:00Z"},{"value":"0.02401","scoring_system":"epss","scoring_elements":"0.8509","published_at":"2026-04-21T12:55:00Z"},{"value":"0.02401","scoring_system":"epss","scoring_elements":"0.85093","published_at":"2026-04-18T12:55:00Z"},{"value":"0.02401","scoring_system":"epss","scoring_elements":"0.85091","published_at":"2026-04-16T12:55:00Z"},{"value":"0.02401","scoring_system":"epss","scoring_elements":"0.85069","published_at":"2026-04-13T12:55:00Z"},{"value":"0.02401","scoring_system":"epss","scoring_elements":"0.85073","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02401","scoring_system":"epss","scoring_elements":"0.85074","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02493","scoring_system":"epss","scoring_elements":"0.85281","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02493","scoring_system":"epss","scoring_elements":"0.85303","published_at":"2026-04-08T12:55:00Z"},{"value":"0.02493","scoring_system":"epss","scoring_elements":"0.85248","published_at":"2026-04-01T12:55:00Z"},{"value":"0.02493","scoring_system":"epss","scoring_elements":"0.8526","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02493","scoring_system":"epss","scoring_elements":"0.85279","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11830"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/phar-stream-wrapper/CVE-2019-11830.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/phar-stream-wrapper/CVE-2019-11830.yaml"},{"reference_url":"https://github.com/TYPO3/phar-stream-wrapper","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/phar-stream-wrapper"},{"reference_url":"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1"},{"reference_url":"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11830","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11830"},{"reference_url":"https://typo3.org/security/advisory/typo3-psa-2019-008","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-psa-2019-008"},{"reference_url":"https://typo3.org/security/advisory/typo3-psa-2019-008/","reference_id":"","reference_type":"","scores":[],"url":"https://typo3.org/security/advisory/typo3-psa-2019-008/"},{"reference_url":"https://github.com/advisories/GHSA-3hxw-g85p-qgxm","reference_id":"GHSA-3hxw-g85p-qgxm","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3hxw-g85p-qgxm"}],"weaknesses":[{"cwe_id":502,"name":"Deserialization of Untrusted Data","description":"The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":"9.0 - 10.0","exploitability":"0.5","weighted_severity":"9.0","risk_score":4.5,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hsez-yx7s-uuhn"}