CVE-2017-16654: An attacker can navigate to arbitrary directories via the dot-dot-slash attack

August 6, 2018 (updated March 13, 2019)

This package includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack.

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654
symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths
github.com/symfony/symfony/pull/24994

Code Behaviors & Features

Detect and mitigate CVE-2017-16654 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →