The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| typo3/phar-stream-wrapper(Packagist) | 2.0.0 | 2.1.1 | N/A |
| typo3/phar-stream-wrapper(Packagist) | 3.0.0 | 3.1.1 | N/A |
| drupal/core(Packagist) | 7.0.0 | 7.67.0 | N/A |
| drupal/core(Packagist) | 8.0.0 | 8.6.16 | N/A |
| drupal/core(Packagist) | 8.7.0 | 8.7.1 | N/A |
| drupal/drupal(Packagist) | 7.0.0 | 7.67.0 | N/A |
| drupal/drupal(Packagist) | 8.0.0 | 8.6.16 | N/A |
| drupal/drupal(Packagist) | 8.7.0 | 8.7.1 | N/A |
CVSS Metrics
