CVE-2017-16654

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 2.7.38 Symfony versions prior to 2.8.31 Symfony versions prior to 3.2.14 Symfony versions prior to 3.3.13 Symfony versions prior to 3.4-BETA5 Symfony versions prior to 4.0-BETA5

Description An issue in the Intl component of Symfony allows an attacker to navigate to arbitrary directories via a dot-dot-slash attack, also known as Directory Traversal. The read() methods of bundle reader classes use a path and a locale to determine the language bundle to retrieve, with the locale argument value commonly retrieved from untrusted user input. This can be exploited by sending specially crafted requests, potentially allowing a remote attacker to disclose protected information.

Recommendations For versions prior to 2.7.38, update to version 2.7.38 or later. For versions prior to 2.8.31, update to version 2.8.31 or later. For versions prior to 3.2.14, update to version 3.2.14 or later. For versions prior to 3.3.13, update to version 3.3.13 or later. For versions prior to 3.4-BETA5, update to version 3.4-BETA5 or later. For versions prior to 4.0-BETA5, update to version 4.0-BETA5 or later.