CVE-2017-16790

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 2.7.38 Symfony versions prior to 2.8.31 Symfony versions prior to 3.2.14 Symfony versions prior to 3.3.13 Symfony versions prior to 3.4-BETA5 Symfony versions prior to 4.0-BETA5

Description The issue exists due to insufficient input validation in the Form component of the Symfony platform. An attacker can exploit this by sending a specially crafted HTTP request where the FileType value is sent as POST data, which can be interpreted as a local file path on the server-side. This could allow the attacker to disclose protected information.

Recommendations For Symfony versions prior to 2.7.38, update to version 2.7.38 or later. For Symfony versions prior to 2.8.31, update to version 2.8.31 or later. For Symfony versions prior to 3.2.14, update to version 3.2.14 or later. For Symfony versions prior to 3.3.13, update to version 3.3.13 or later. For Symfony versions prior to 3.4-BETA5, update to version 3.4-BETA5 or later. For Symfony versions prior to 4.0-BETA5, update to version 4.0-BETA5 or later. As a temporary workaround, consider adding additional checks about the value submitted to the FileType field to prevent potential exploitation.