Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01bTN3LXJ2dmgtOGZ4Ns4AAQML
Joomla! Object Injection Vulnerability
An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for object injection attacks because there is no protection mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files.
Permalink: https://github.com/advisories/GHSA-5m3w-rvvh-8fx6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01bTN3LXJ2dmgtOGZ4Ns4AAQML
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 7 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-5m3w-rvvh-8fx6, CVE-2019-7743
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-7743
- https://developer.joomla.org/security-centre/770-20190206-core-implement-the-typo3-phar-stream-wrapper
- https://github.com/joomla/joomla-cms/issues/23907
- https://web.archive.org/web/20210730211655/https://www.securityfocus.com/bid/107050
- https://github.com/advisories/GHSA-5m3w-rvvh-8fx6
Blast Radius: 1.0
Affected Packages
packagist:joomla/joomla-cms
Affected Version Ranges: >= 2.5.0, < 3.9.3Fixed in: 3.9.3