CVE-2019-18889
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-18889
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-18889.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-18889
- Aliases
- Related
- Published
- 2019-11-21T23:15:13Z
- Modified
- 2024-10-12T04:40:41.813960Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.
- References
-
- https://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances
- https://symfony.com/blog/symfony-4-3-8-released
- https://github.com/symfony/symfony/releases/tag/v4.3.8
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/
- https://security-tracker.debian.org/tracker/CVE-2019-18889
Affected packages
Debian:11 / symfony
Package
- Name
- symfony
- Purl
- pkg:deb/debian/symfony?arch=source
Debian:12 / symfony
Package
- Name
- symfony
- Purl
- pkg:deb/debian/symfony?arch=source
Debian:13 / symfony
Package
- Name
- symfony
- Purl
- pkg:deb/debian/symfony?arch=source