GHSA-j68w-pg49-f6vx: Symfony XML decoding attack vector through external entities

May 30, 2024

The XMLEncoder component of Symfony 2.0.x fails to disable external entities when parsing XML. In the Symfony2 framework the XML class may be used to deserialize objects or as part of a client/server API. By using external entities it is possible to include arbitrary files from the file system.

References

github.com/FriendsOfPHP/security-advisories/blob/master/symfony/serializer/2012-02-24.yaml
github.com/advisories/GHSA-j68w-pg49-f6vx
github.com/symfony/serializer
github.com/symfony/serializer/commit/0943a06a663b573d7319fc1acd56d3484eaaa430
symfony.com/blog/security-release-symfony-2-0-11-released

Detect and mitigate GHSA-j68w-pg49-f6vx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →