CVE-2024-47049

The czim/file-handling package before 1.5.0 and 2.x before 2.3.0 (used with PHP Composer) does not properly validate URLs within makeFromUrl and makeFromAny, leading to SSRF, and to directory traversal for the reading of local files.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:czim:file-handling:*:*:*:*:*:*:*:*
cpe:2.3:a:czim:file-handling:*:*:*:*:*:*:*:*

History

27 Sep 2024, 17:09

Type Values Removed Values Added
CWE CWE-918
CWE-22
References () https://github.com/czim/file-handling/blob/2.3.0/SECURITY.md - () https://github.com/czim/file-handling/blob/2.3.0/SECURITY.md - Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.2
First Time Czim file-handling
Czim
CPE cpe:2.3:a:czim:file-handling:*:*:*:*:*:*:*:*

20 Sep 2024, 12:30

Type Values Removed Values Added
Summary
  • (es) El paquete czim/file-handling anterior a 1.5.0 y 2.x anterior a 2.3.0 (usado con PHP Composer) no valida correctamente las URL dentro de makeFromUrl y makeFromAny, lo que genera SSRF y un directory traversal para la lectura de archivos locales.

17 Sep 2024, 14:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-17 14:15

Updated : 2024-09-27 17:09


NVD link : CVE-2024-47049

Mitre link : CVE-2024-47049

CVE.ORG link : CVE-2024-47049


JSON object : View

Products Affected

czim

  • file-handling
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-918

Server-Side Request Forgery (SSRF)