9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-11831

GHSA ID

GHSA-xv7v-rf6g-xwrc

EPSS Score

0.39974%

CWE

CWE-22

Published

9/30/2021

Updated

2/6/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-11831

CVE-2019-11831: Directory Traversal in typo3/phar-stream-wrapper

The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-11831

GHSA ID

GHSA-xv7v-rf6g-xwrc

EPSS Score

0.39974%

CWE

CWE-22

Published

9/30/2021

Updated

2/6/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/phar-stream-wrapper	composer	>= 2.0.0, < 2.1.1	2.1.1
typo3/phar-stream-wrapper	composer	>= 3.0.0, < 3.1.1	3.1.1
drupal/core	composer	>= 7.0.0, < 7.67.0	7.67.0
drupal/core	composer	>= 8.0.0, < 8.6.16	8.6.16
drupal/core	composer	>= 8.7.0, < 8.7.1	8.7.1
drupal/drupal	composer	>= 7.0.0, < 7.67.0	7.67.0
drupal/drupal	composer	>= 8.0.0, < 8.6.16	8.6.16
drupal/drupal	composer	>= 8.7.0, < 8.7.1	8.7.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper path handling in the PharStreamWrapper's Helper class. The TYPO3 advisory explicitly references an example where 'phar:///path/bad.phar/../good.phar' is incorrectly resolved to '/path/good.phar', bypassing checks. The determineBaseFile() and getCanonicalPath() functions are directly responsible for path resolution and canonicalization. The patches in versions 2.1.1/3.1.1 addressed these functions, confirming their role in the vulnerability. The CWE-22 (Path Traversal) mapping aligns with the flawed path resolution mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** P**rStr**mWr*pp*r (*k* p**r-str**m-wr*pp*r) p**k*** *.x ***or* *.*.* *n* *.x ***or* *.*.* *or TYPO* *o*s not pr*v*nt *ir**tory tr*v*rs*l, w*i** *llows *tt**k*rs to *yp*ss * **s*ri*liz*tion prot**tion m****nism, *s **monstr*t** *y * p**r:///p*t*/*

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*t* **n*lin* in t** `P**rStr**mWr*pp*r`'s **lp*r *l*ss. T** TYPO* **visory *xpli*itly r***r*n**s *n *x*mpl* w**r* 'p**r:///p*t*/***.p**r/../*oo*.p**r' is in*orr**tly r*solv** to '/p*t*/*oo*.p**r', *yp*ssin* ****

9.8

Basic Information

Concerned about an active attack path?

CVE-2019-11831: Directory Traversal in typo3/phar-stream-wrapper

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI