Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xOGo3LWZqaDctMjV2Nc3gFg
Symfony collectionCascaded and collectionCascadedDeeply fields security bypass
When using the Validator component, if Symfony\\Component\\Validator\\Mapping\\Cache\\ApcCache is enabled (or any other cache implementing Symfony\\Component\\Validator\\Mapping\\Cache\\CacheInterface), some information is lost during serialization (the collectionCascaded and the collectionCascadedDeeply fields).
As a consequence, arrays or traversable objects stored in fields using the @Valid constraint are not traversed by the validator as soon as the validator configuration is loaded from the cache.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xOGo3LWZqaDctMjV2Nc3gFg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 2 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-q8j7-fjh7-25v5, CVE-2013-4751
References:
- https://nvd.nist.gov/vuln/detail/CVE-2013-4751
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4751
- https://exchange.xforce.ibmcloud.com/vulnerabilities/86364
- http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114380.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114436.html
- http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released
- https://web.archive.org/web/20200228181137/http://www.securityfocus.com/bid/61709
- https://github.com/advisories/GHSA-q8j7-fjh7-25v5
Affected Packages
packagist:symfony/validator
Versions: >= 2.3.0, < 2.3.3, >= 2.2.0, < 2.2.5, >= 2.1.0, < 2.1.12, >= 2.0.0, < 2.0.24Fixed in: 2.3.3, 2.2.5, 2.1.12, 2.0.24