GoogleOSV:GHSA-79GR-58R3-PWM3Symfony Unsafe Cache Serialization Could Enable RCE
EPSS
Percentile
78.7%
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.
References
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/cache/CVE-2019-18889.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18889.yaml
github.com/symfony/symfony/releases/tag/v4.3.8
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA
lists.fedoraproject.org/archives/list/[email protected]/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA
nvd.nist.gov/vuln/detail/CVE-2019-18889
symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances
symfony.com/blog/symfony-4-3-8-released
symfony.com/cve-2019-18889
Related
