CVE-2018-19789: Malicious File Upload
First published: Tue Nov 06 2018(Updated: )
An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint `string` in a setter method (e.g. `setName(string $name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/symfony/symfony | >=2.7.38<2.7.50>=2.8.0<2.8.49>=3.0.0<3.1.0>=3.1.0<3.2.0>=3.2.0<3.3.0>=3.3.0<3.4.0>=3.4.0<3.4.20>=4.0.0<4.0.15>=4.1.0<4.1.9>=4.2.0<4.2.1 | |
| composer/symfony/form | >=2.7.38<2.7.50>=2.8.0<2.8.49>=3.0.0<3.1.0>=3.1.0<3.2.0>=3.2.0<3.3.0>=3.3.0<3.4.0>=3.4.0<3.4.20>=4.0.0<4.0.15>=4.1.0<4.1.9>=4.2.0<4.2.1 | |
| composer/symfony/symfony | >=4.2.0<4.2.1 | 4.2.1 |
| composer/symfony/symfony | >=4.1.0<4.1.9 | 4.1.9 |
| composer/symfony/symfony | >=4.0.0<4.0.15 | 4.0.15 |
| composer/symfony/symfony | >=3.0.0<3.4.20 | 3.4.20 |
| composer/symfony/symfony | >=2.8.0<2.8.49 | 2.8.49 |
| composer/symfony/symfony | >=2.7.0<2.7.50 | 2.7.50 |
| SensioLabs Symfony | >=2.7.0<2.7.50 | |
| SensioLabs Symfony | >=2.8.0<2.8.49 | |
| SensioLabs Symfony | >=3.0.0<3.4.20 | |
| SensioLabs Symfony | >=4.0.0<4.0.15 | |
| SensioLabs Symfony | >=4.1.0<4.1.9 | |
| SensioLabs Symfony | >=4.2.0<4.2.1 | |
| Debian Debian Linux | =8.0 | |
| debian/symfony | 3.4.22+dfsg-2+deb10u1 3.4.22+dfsg-2+deb10u2 4.4.19+dfsg-2+deb11u3 5.4.23+dfsg-1 5.4.29+dfsg-1 5.4.30+dfsg-1 | |
| composer/symfony/form | >=4.2.0<4.2.1 | 4.2.1 |
| composer/symfony/form | >=4.1.0<4.1.9 | 4.1.9 |
| composer/symfony/form | >=4.0.0<4.0.15 | 4.0.15 |
| composer/symfony/form | >=3.0.0<3.4.20 | 3.4.20 |
| composer/symfony/form | >=2.8.0<2.8.49 | 2.8.49 |
| composer/symfony/form | >=2.7.0<2.7.50 | 2.7.50 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://symfony.com/cve-2018-19789
- https://nvd.nist.gov/vuln/detail/CVE-2018-19789
- https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4TD3E7FZIXLVFG3SMFJPDEKPZ26TJOW7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZMRJ7VTHCY5AZK24G4QGX36RLUDTDKE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OA4WVFN5FYPIXAPLWZI6N425JHHDSWAZ/
- https://seclists.org/bugtraq/2019/May/21
- https://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-full-path
- https://www.debian.org/security/2019/dsa-4441
- https://web.archive.org/web/20210124224817/http://www.securityfocus.com/bid/106249
- https://github.com/symfony/symfony/commit/b65e6f1a47b68f2713b60cdac9cc3a4af62a2d1c
- https://github.com/advisories/GHSA-x3cf-w64x-4cp2 (Advisory)
- http://www.securityfocus.com/bid/106249
- https://security-tracker.debian.org/tracker/CVE-2018-19789
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/form/CVE-2018-19789.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-19789.yaml
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4TD3E7FZIXLVFG3SMFJPDEKPZ26TJOW7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZMRJ7VTHCY5AZK24G4QGX36RLUDTDKE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OA4WVFN5FYPIXAPLWZI6N425JHHDSWAZ/
Frequently Asked Questions
What is the severity of CVE-2018-19789?
The severity of CVE-2018-19789 is medium with a severity value of 5.3.
How does CVE-2018-19789 impact Symfony versions?
CVE-2018-19789 affects Symfony versions 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1.
What is the vulnerability description of CVE-2018-19789?
CVE-2018-19789 is a vulnerability that leads to temporary uploaded file path disclosure in Symfony.
What is the Common Vulnerabilities and Exposures (CVE) ID for this vulnerability?
The Common Vulnerabilities and Exposures (CVE) ID for this vulnerability is CVE-2018-19789.
How can I fix CVE-2018-19789?
To fix CVE-2018-19789, update Symfony to version 2.7.50, 2.8.49, 3.4.20, 4.0.15, 4.1.9, or 4.2.1.
- collector/friends-of-php
- collector/nvd-index
- collector/security-tracker-debian
- agent/author
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-x3cf-w64x-4cp2
- alias/CVE-2018-19789
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/remedy
- agent/description
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- agent/references
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/composer
- vendor/sensiolabs
- canonical/sensiolabs symfony
- version/sensiolabs symfony/2.7.0
- version/sensiolabs symfony/2.8.0
- version/sensiolabs symfony/3.0.0
- version/sensiolabs symfony/4.0.0
- version/sensiolabs symfony/4.1.0
- version/sensiolabs symfony/4.2.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- package-manager/debian