CVE-2019-11325
CRITICAL9.8EPSS 4.7%Improper Input Validation in Symfony
發布日:2020/2/12修改日:2026/5/27
描述
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
受影響套件(3)
- Debian/symfonyfrom 0, < 4.3.8+dfsg-1
- Packagist/symfony/symfony>= 4.2.0, < 4.2.12
- Packagist/symfony/var-exporter>= 4.2.0, < 4.2.12
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-11325
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-11325
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-11325.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/var-exporter/CVE-2019-11325.yaml
- WEBhttps://github.com/symfony/symfony/releases/tag/v4.3.8
- WEBhttps://github.com/symfony/var-exporter/compare/d8bf442...57e00f3
- WEBhttps://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter
- WEBhttps://symfony.com/blog/symfony-4-3-8-released
- WEBhttps://symfony.com/cve-2019-11325