Vulnerability CVE-2017-16790

Vulnerability Name:

CVE-2017-16790 (CCN-148235)

Assigned:

2017-11-17

Published:

2017-11-17

Updated:

2018-10-11

Summary:

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. When a form is submitted by the user, the request handler classes of the Form component merge POST data and uploaded files data into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a "FileType" is sent as normal POST data that could be interpreted as a local file path on the server-side (for example, "file:///etc/passwd"). If the application did not perform any additional checks about the value submitted to the "FileType", the contents of the given file on the server could have been exposed to the attacker.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-20

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2017-16790

Source: XF
Type: UNKNOWN
symfony-cve201716790-info-disc(148235)

Source: CCN
Type: Symfony blog, November 17, 2017
CVE-2017-16790: Ensure that submitted data are uploaded files

Source: CONFIRM
Type: Issue Tracking, Patch, Vendor Advisory
https://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files

Source: DEBIAN
Type: Third Party Advisory
DSA-4262

Vulnerable Configuration:

Configuration 1:

cpe:/a:sensiolabs:symfony:*:*:*:*:*:*:*:* (Version >= 2.7.0 and <= 2.7.37)

OR cpe:/a:sensiolabs:symfony:*:*:*:*:*:*:*:* (Version >= 2.8.0 and <= 2.8.30)

OR cpe:/a:sensiolabs:symfony:*:*:*:*:*:*:*:* (Version >= 3.2.0 and <= 3.2.13)

OR cpe:/a:sensiolabs:symfony:*:*:*:*:*:*:*:* (Version >= 3.3.0 and <= 3.3.12)

Configuration 2:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.bionic:def:201716790000	V	CVE-2017-16790 on Ubuntu 18.04 LTS (bionic) - medium.	2018-08-06
oval:com.ubuntu.bionic:def:2017167900000000	V	CVE-2017-16790 on Ubuntu 18.04 LTS (bionic) - medium.	2018-08-06
oval:com.ubuntu.cosmic:def:201716790000	V	CVE-2017-16790 on Ubuntu 18.10 (cosmic) - medium.	2018-08-06
oval:com.ubuntu.xenial:def:2017167900000000	V	CVE-2017-16790 on Ubuntu 16.04 LTS (xenial) - medium.	2018-08-06
oval:com.ubuntu.xenial:def:201716790000	V	CVE-2017-16790 on Ubuntu 16.04 LTS (xenial) - medium.	2018-08-06
oval:com.ubuntu.cosmic:def:2017167900000000	V	CVE-2017-16790 on Ubuntu 18.10 (cosmic) - medium.	2018-08-06

BACK