CVE-2019-10912
HIGH7.1EPSS 1.1%Deserialization of untrusted data in Symfony
發布日:2020/2/12修改日:2026/5/27
描述
In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.
受影響套件(6)
- Debian/symfonyfrom 0, < 3.4.22+dfsg-2
- Packagist/symfony/cache>= 3.1.0, < 3.4.26
- Packagist/symfony/phpunit-bridge>= 2.8.0, < 2.8.50
- Packagist/symfony/symfony>= 2.8.0, < 2.8.50
- Packagist/typo3/cms>= 9.0.0, < 9.5.8
- Packagist/typo3/cms-core>= 9.0.0, < 9.5.8
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N |
參考連結(29)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10912
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-10912
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/cache/CVE-2019-10912.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/phpunit-bridge/CVE-2019-10912.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10912.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2019-10912.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2019-10912.yaml
- WEBhttps://github.com/symfony/symfony/commit/4fb975281634b8d49ebf013af9e502e67c28816b
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42UEKSLKJB72P24JBWVN6AADHLMYSUQD
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QEAOZXVNDA63537A2OIH4QE77EKZR5O
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAC2TQVEEH5FDJSSWPM2BCRIPTCOEMMO
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BHHIG4GMSGEIDT3RITSW7GJ5NT6IBHXU
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LFARAUAWZE4UDSKVDWRD35D75HI5UGSD
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDSM576XIOVXVCMHNJHLBBZBTOD62LDA
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTJGZJLPG5FHKFH7KNAKNTWOGBB6LXAL
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLOZX5BZMQKWG7PJRQL6MB5CAMKBQAWD
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/42UEKSLKJB72P24JBWVN6AADHLMYSUQD
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/6QEAOZXVNDA63537A2OIH4QE77EKZR5O
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/BAC2TQVEEH5FDJSSWPM2BCRIPTCOEMMO
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/BHHIG4GMSGEIDT3RITSW7GJ5NT6IBHXU
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/LFARAUAWZE4UDSKVDWRD35D75HI5UGSD
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/MDSM576XIOVXVCMHNJHLBBZBTOD62LDA
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/RTJGZJLPG5FHKFH7KNAKNTWOGBB6LXAL
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/ZLOZX5BZMQKWG7PJRQL6MB5CAMKBQAWD
- WEBhttps://seclists.org/bugtraq/2019/May/21
- WEBhttps://symfony.com/blog/cve-2019-10912-prevent-destructors-with-side-effects-from-being-unserialized
- WEBhttps://symfony.com/cve-2019-10912
- WEBhttps://typo3.org/security/advisory/typo3-core-sa-2019-016
- WEBhttps://www.debian.org/security/2019/dsa-4441