Lucene search

K

GitHub Advisory DatabaseGHSA-XHH6-956Q-4Q69

HistoryDec 02, 2019 - 6:08 p.m.

Argument injection in a MimeTypeGuesser in Symfony

2019-12-0218:08:19

CWE-20

CWE-88

GitHub Advisory Database

github.com

85

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.004

Percentile

72.4%

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).

Affected configurations

Vulners

Node

symfonysymfonyRange<4.3.8

OR

symfonysymfonyRange<4.2.12

OR

symfonysymfonyRange<3.4.35

OR

symfonysymfonyRange<2.8.52

OR

symfonymimeRange<4.3.8

OR

symfonyhttp_foundationRange<4.3.8

OR

symfonyhttp_foundationRange<4.2.12

OR

symfonyhttp_foundationRange<3.4.35

OR

symfonyhttp_foundationRange<2.8.52

References

github.com/advisories/GHSA-xhh6-956q-4q69

github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-18888.yaml

github.com/FriendsOfPHP/security-advisories/blob/master/symfony/mime/CVE-2019-18888.yaml

github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18888.yaml

github.com/symfony/symfony/releases/tag/v4.3.8

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/

lists.fedoraproject.org/archives/list/[email protected]/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/

lists.fedoraproject.org/archives/list/[email protected]/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/

lists.fedoraproject.org/archives/list/[email protected]/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/

nvd.nist.gov/vuln/detail/CVE-2019-18888

symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser

symfony.com/blog/symfony-4-3-8-released

symfony.com/cve-2019-18888

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.004

Percentile

72.4%

Related for GHSA-XHH6-956Q-4Q69

cve1 friendsofphp3 osv4 debiancve1 veracode1 cvelist1 symfony1 ubuntucve1 prion1 nvd1 nessus5 openvas3 fedora3 debian2