CVE-2019-18889
- Source
- https://cve.org/CVERecord?id=CVE-2019-18889
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-18889.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-18889
- Aliases
- Downstream
- Published
- 2019-11-21T23:15:13.607Z
- Modified
- 2026-05-16T12:02:36.908547343Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.
- Database specific
{ "unresolved_ranges": [ { "vendor_product": "fedoraproject:fedora", "cpes": [ "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*" ], "extracted_events": [ { "last_affected": "31" } ], "source": "CPE_FIELD" } ] }- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/
- https://github.com/symfony/symfony/releases/tag/v4.3.8
- https://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances
- https://symfony.com/blog/symfony-4-3-8-released