In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/cache/CVE-2019-10912.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/phpunit-bridge/CVE-2019-10912.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10912.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2019-10912.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2019-10912.yaml
github.com/symfony/symfony/commit/4fb975281634b8d49ebf013af9e502e67c28816b
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42UEKSLKJB72P24JBWVN6AADHLMYSUQD
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QEAOZXVNDA63537A2OIH4QE77EKZR5O
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAC2TQVEEH5FDJSSWPM2BCRIPTCOEMMO
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BHHIG4GMSGEIDT3RITSW7GJ5NT6IBHXU
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LFARAUAWZE4UDSKVDWRD35D75HI5UGSD
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDSM576XIOVXVCMHNJHLBBZBTOD62LDA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTJGZJLPG5FHKFH7KNAKNTWOGBB6LXAL
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLOZX5BZMQKWG7PJRQL6MB5CAMKBQAWD
lists.fedoraproject.org/archives/list/[email protected]/message/42UEKSLKJB72P24JBWVN6AADHLMYSUQD
lists.fedoraproject.org/archives/list/[email protected]/message/6QEAOZXVNDA63537A2OIH4QE77EKZR5O
lists.fedoraproject.org/archives/list/[email protected]/message/BAC2TQVEEH5FDJSSWPM2BCRIPTCOEMMO
lists.fedoraproject.org/archives/list/[email protected]/message/BHHIG4GMSGEIDT3RITSW7GJ5NT6IBHXU
lists.fedoraproject.org/archives/list/[email protected]/message/LFARAUAWZE4UDSKVDWRD35D75HI5UGSD
lists.fedoraproject.org/archives/list/[email protected]/message/MDSM576XIOVXVCMHNJHLBBZBTOD62LDA
lists.fedoraproject.org/archives/list/[email protected]/message/RTJGZJLPG5FHKFH7KNAKNTWOGBB6LXAL
lists.fedoraproject.org/archives/list/[email protected]/message/ZLOZX5BZMQKWG7PJRQL6MB5CAMKBQAWD
nvd.nist.gov/vuln/detail/CVE-2019-10912
seclists.org/bugtraq/2019/May/21
symfony.com/blog/cve-2019-10912-prevent-destructors-with-side-effects-from-being-unserialized
symfony.com/cve-2019-10912
typo3.org/security/advisory/typo3-core-sa-2019-016
www.debian.org/security/2019/dsa-4441