CVE-2019-16317: Deserialization of Untrusted Data

September 14, 2019 (updated September 17, 2019)

In Pimcore an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory.

References

nvd.nist.gov/vuln/detail/CVE-2019-16317

Code Behaviors & Features

Detect and mitigate CVE-2019-16317 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →