{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "2.0.0" }, { "fixed": "2.1.1" }, { "introduced": "3.0.0" }, { "fixed": "3.1.1" } ] }, "events": [ { "introduced": "369f83042ea2e57d98dd04ce4c7318d008497a29" }, { "fixed": "e438b0c78652b33407983eb29d215a1a3f68f6f3" }, { "introduced": "072007eb3d2c8864aa7535fe5bd0349b5ba765f6" }, { "fixed": "fff6f5e037882f816cd41a9f5ccd8d8f97bfdebf" } ], "repo": "https://github.com/typo3/phar-stream-wrapper", "type": "GIT" } ] } ], "details": "PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism.", "id": "CVE-2019-11830", "modified": "2026-03-15T13:48:49.391530383Z", "published": "2019-05-09T04:29:00.770Z", "references": [ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/" }, { "type": "ADVISORY", "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1" }, { "type": "ADVISORY", "url": "https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1" }, { "type": "ADVISORY", "url": "https://typo3.org/security/advisory/typo3-psa-2019-008/" } ], "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }