CVE-2017-16654 - OpenCVE

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack, aka Directory Traversal.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Sensiolabs	Symfony

Configuration 1 [-]

OR	cpe:2.3:a:sensiolabs:symfony::::::::
	cpe:2.3:a:sensiolabs:symfony::::::::
	cpe:2.3:a:sensiolabs:symfony::::::::
	cpe:2.3:a:sensiolabs:symfony::::::::

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

No data.

References

Link	Providers
https://github.com/symfony/symfony/pull/24994
https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html
https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths
https://www.debian.org/security/2018/dsa-4262

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-08-06T21:00:00

Updated: 2024-08-05T20:27:04.443Z

Reserved: 2017-11-07T00:00:00

Link: CVE-2017-16654

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-08-06T21:29:00.330

Modified: 2019-03-13T17:56:32.990

Link: CVE-2017-16654

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-11-17T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack, aka Directory Traversal."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-03-10T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/symfony/symfony/pull/24994"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths"}, {"name": "[debian-lts-announce] 20190310 [SECURITY] [DLA 1707-1] symfony security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html"}, {"name": "DSA-4262", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4262"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-16654", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack, aka Directory Traversal."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/symfony/symfony/pull/24994", "refsource": "CONFIRM", "url": "https://github.com/symfony/symfony/pull/24994"}, {"name": "https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths", "refsource": "CONFIRM", "url": "https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths"}, {"name": "[debian-lts-announce] 20190310 [SECURITY] [DLA 1707-1] symfony security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html"}, {"name": "DSA-4262", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4262"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T20:27:04.443Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/symfony/symfony/pull/24994"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths"}, {"name": "[debian-lts-announce] 20190310 [SECURITY] [DLA 1707-1] symfony security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html"}, {"name": "DSA-4262", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2018/dsa-4262"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-16654", "datePublished": "2018-08-06T21:00:00", "dateReserved": "2017-11-07T00:00:00", "dateUpdated": "2024-08-05T20:27:04.443Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "matchCriteriaId": "5B84DB7E-B758-4D6A-B10B-AE602F172EC0", "versionEndIncluding": "2.7.37", "versionStartIncluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "matchCriteriaId": "13E4D371-1EC1-49A7-BED2-F9C36E8C5BB4", "versionEndIncluding": "3.2.13", "versionStartIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "matchCriteriaId": "49BB635A-5911-4DB0-A75C-D73EBC772283", "versionEndIncluding": "3.3.12", "versionStartIncluding": "3.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "matchCriteriaId": "1B081CEE-9990-48CE-9ED2-06CBB6F977EA", "versionEndIncluding": "3.8.30", "versionStartIncluding": "3.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack, aka Directory Traversal."}, {"lang": "es", "value": "Se ha descubierto un problema en Symfony en versiones anteriores a la 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5 y 4.0-BETA5. El componente Intl incluye varios lectores bundle que se emplean para leer bundles de recursos desde el sistema de archivos local. Los m\u00e9todos read() de estas clases emplean una ruta y una locale para determinar qu\u00e9 bundle de idioma deben recuperar. El valor del argumento locale suele recuperarse desde entradas de usuario no fiables (como un par\u00e1metro URL). Un atacante puede emplear este argumento para navegar a directorios arbitrarios mediante el ataque dot-dot-slash (punto-punto-barra), tambi\u00e9n conocido como salto de directorio."}], "id": "CVE-2017-16654", "lastModified": "2019-03-13T17:56:32.990", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-08-06T21:29:00.330", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/symfony/symfony/pull/24994"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4262"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}