PT-2019-5182 · Symfony · Symfony

Nicolas-Grekas

Published

2019-11-18

Updated

2020-08-24

CVE-2019-18889

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Symfony versions 3.4.0 through 3.4.34 Symfony versions 4.2.0 through 4.2.11 Symfony versions 4.3.0 through 4.3.7

Description The issue exists due to the failure to neutralize special elements, which can allow a remote attacker to inject arbitrary code. This is related to the serialization of certain cache adapter interfaces in Symfony, potentially resulting in remote code injection.

Recommendations For Symfony versions 3.4.0 through 3.4.34, update to a version that fixes the issue with serializing cache adapter interfaces. For Symfony versions 4.2.0 through 4.2.11, update to a version that fixes the issue with serializing cache adapter interfaces. For Symfony versions 4.3.0 through 4.3.7, update to a version that fixes the issue with serializing cache adapter interfaces.

Exploit

Fix

Special Elements Injection

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-94

Related Identifiers

BDU:2020-01855

CVE-2019-18889

DSA-4573-1

GHSA-79GR-58R3-PWM3

Affected Products

Symfony

PT-2019-5182 · Symfony · Symfony

CVE-2019-18889

Weakness Enumeration

Related Identifiers

Affected Products

References · 20