An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-18888.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/mime/CVE-2019-18888.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18888.yaml
github.com/symfony/symfony/releases/tag/v4.3.8
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ
lists.fedoraproject.org/archives/list/[email protected]/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX
lists.fedoraproject.org/archives/list/[email protected]/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA
lists.fedoraproject.org/archives/list/[email protected]/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ
nvd.nist.gov/vuln/detail/CVE-2019-18888
symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser
symfony.com/blog/symfony-4-3-8-released
symfony.com/cve-2019-18888