CVE-2019-18889

CRITICAL9.8EPSS 5.1%

Symfony Unsafe Cache Serialization Could Enable RCE

發布日:2019/12/2修改日:2026/5/27

也稱為:GHSA-79gr-58r3-pwm3DEBIAN-CVE-2019-18889

描述

An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.

受影響套件(3)

Debian/symfonyfrom 0, < 4.3.8+dfsg-1
Packagist/symfony/cache>= 3.1.0, < 3.4.35
Packagist/symfony/symfony>= 3.1.0, < 3.4.35

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(10)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-18889
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-18889
WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/cache/CVE-2019-18889.yaml
WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18889.yaml
WEBhttps://github.com/symfony/symfony/releases/tag/v4.3.8
WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA
WEBhttps://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances
WEBhttps://symfony.com/blog/symfony-4-3-8-released
WEBhttps://symfony.com/cve-2019-18889