CVE-2019-11831

Name of the Vulnerable Software and Affected Versions PharStreamWrapper package versions 2.x before 2.1.1 PharStreamWrapper package versions 3.x before 3.1.1

Description The issue is related to the PharStreamWrapper package, which does not prevent directory traversal. This allows attackers to bypass a deserialization protection mechanism. The vulnerability can be exploited by using a URL such as "phar:///path/bad.phar/../good.phar" to bypass protection. The vulnerability is associated with incorrect limitation of the path name to a directory with limited access, which can allow an attacker to disclose protected information.

Recommendations For PharStreamWrapper package versions 2.x before 2.1.1, update to version 2.1.1 or later. For PharStreamWrapper package versions 3.x before 3.1.1, update to version 3.1.1 or later. As a temporary workaround, consider restricting access to the phar:/// protocol handler until a patch is available. Avoid using URLs that contain the ../ sequence in the path, as they can be used to exploit the vulnerability.