CVE-2019-18888

Name of the Vulnerable Software and Affected Versions Symfony versions 2.8.0 through 2.8.50 Symfony versions 3.4.0 through 3.4.34 Symfony versions 4.2.0 through 4.2.11 Symfony versions 4.3.0 through 4.3.7

Description An issue was discovered where an application passes unvalidated user input as the file for which MIME type validation should occur, allowing arbitrary arguments to be passed to the underlying file command. This issue is related to symfony/http-foundation and symfony/mime in 4.3.x. The vulnerability can be exploited by a remote attacker to impact data integrity.

Recommendations For Symfony versions 2.8.0 through 2.8.50, update to a version outside of this range to resolve the issue. For Symfony versions 3.4.0 through 3.4.34, update to a version outside of this range to resolve the issue. For Symfony versions 4.2.0 through 4.2.11, update to a version outside of this range to resolve the issue. For Symfony versions 4.3.0 through 4.3.7, update to a version outside of this range to resolve the issue. As a temporary workaround, consider validating user input before passing it as the file for MIME type validation to prevent arbitrary arguments from being passed to the underlying file command.