Symfony XML decoding attack vector through external entities · GHSA-mmcv-fvq8-r9x3 · GitHub Advisory Database · GitHub

Symfony XML decoding attack vector through external entities

Critical severity GitHub Reviewed Published May 30, 2024 to the GitHub Advisory Database • Updated May 30, 2024

Package

symfony/symfony (Composer)

Affected versions

>= 2.0.0, < 2.0.11

Patched versions

2.0.11

Description

The XMLEncoder component of Symfony 2.0.x fails to disable external entities when parsing XML. In the Symfony2 framework the XML class may be used to deserialize objects or as part of a client/server API. By using external entities it is possible to include arbitrary files from the file system.

References

Published to the GitHub Advisory Database May 30, 2024

Reviewed May 30, 2024

Last updated May 30, 2024

Severity

Critical

9.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H