Описание
Valinor is a PHP library that helps to map any input into a strongly-typed value object structure. Prior to version 0.12.0, Valinor can use Throwable#getMessage() when it should not have permission to do so. This is a problem with cases such as an SQL exception showing an SQL snippet, a database connection exception showing database IP address/username/password, or a timeout detail / out of memory detail. Attackers could use this information for potential data exfiltration, denial of service attacks, enumeration attacks, etc. Version 0.12.0 contains a patch for this vulnerability.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | DNE | |
| devel | not-affected | |
| esm-apps/focal | not-affected | |
| esm-apps/jammy | not-affected | |
| focal | not-affected | |
| impish | not-affected | |
| jammy | not-affected | |
| trusty | DNE | |
| upstream | needs-triage | |
| xenial | DNE |
Показывать по
6.4 Medium
CVSS2
7.5 High
CVSS3
Связанные уязвимости
Valinor is a PHP library that helps to map any input into a strongly-typed value object structure. Prior to version 0.12.0, Valinor can use `Throwable#getMessage()` when it should not have permission to do so. This is a problem with cases such as an SQL exception showing an SQL snippet, a database connection exception showing database IP address/username/password, or a timeout detail / out of memory detail. Attackers could use this information for potential data exfiltration, denial of service attacks, enumeration attacks, etc. Version 0.12.0 contains a patch for this vulnerability.
Valinor error messages leading to potential data exfiltration before v0.12.0
6.4 Medium
CVSS2
7.5 High
CVSS3