CVE-2017-16790 Information

Description

An issue was discovered in Symfony before 2.7.38 2.8.31 3.2.14 3.3.13 3.4-BETA5 and 4.0-BETA5. When a form is submitted by the user the request handler classes of the Form component merge POST data and uploaded files data into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a \FileType\ is sent as normal POST data that could be interpreted as a local file path on the server-side (for example \file:///etc/passwd). If the application did not perform any additional checks about the value submitted to the \FileType\ the contents of the given file on the server could have been exposed to the attacker.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

https://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files https://www.debian.org/security/2018/dsa-4262

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

6.5