CVE-2019-18889
CRITICAL9.8EPSS 5.1%Symfony Unsafe Cache Serialization Could Enable RCE
Published: 12/2/2019Modified: 5/27/2026
Description
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.
Affected packages (3)
- Debian/symfonyfrom 0, < 4.3.8+dfsg-1
- Packagist/symfony/cache>= 3.1.0, < 3.4.35
- Packagist/symfony/symfony>= 3.1.0, < 3.4.35
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-18889
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-18889
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/cache/CVE-2019-18889.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18889.yaml
- WEBhttps://github.com/symfony/symfony/releases/tag/v4.3.8
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA
- WEBhttps://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances
- WEBhttps://symfony.com/blog/symfony-4-3-8-released
- WEBhttps://symfony.com/cve-2019-18889