Published: 09/05/2019 Updated: 17/05/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x prior to 2.1.1 and 3.x prior to 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows malicious users to bypass a deserialization protection mechanism.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

typo3 pharstreamwrapper

Vendor Advisories

Debian Bug report logs - #928688 drupal7: Insecure deserialization on bundled third-party library "Phar Stream Wrapper" (SA-CORE-2019-007) (CVE-2019-11831) Package: drupal7; Maintainer for drupal7 is Gunnar Wolf <gwolf@debianorg>; Source for drupal7 is src:drupal7 (PTS, buildd, popcon) Reported by: Gunnar Wolf <gwolf@gwo ...