CVE-2017-16654

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack, aka Directory Traversal.

Published: Aug 6, 2018
Updated: Apr 13, 2023
CVE: CVE-2017-16654
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
sensiolabs / symfony	2.7.0	2.7.37.x
sensiolabs / symfony	3.2.0	3.2.13.x
sensiolabs / symfony	3.3.0	3.3.12.x
sensiolabs / symfony	3.8.0	3.8.30.x
debian / debian_linux	8.0	8.0.x
debian / debian_linux	9.0	9.0.x

Vulnerability Database

289,697

CVE-2017-16654