CVE-2019-18889: Code Injection
First published: Wed Nov 13 2019(Updated: )
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/symfony/symfony | >=3.1.0<3.2.0>=3.2.0<3.3.0>=3.3.0<3.4.0>=3.4.0<3.4.35>=4.0.0<4.1.0>=4.1.0<4.2.0>=4.2.0<4.2.12>=4.3.0<4.3.8 | |
| composer/symfony/cache | >=3.1.0<3.2.0>=3.2.0<3.3.0>=3.3.0<3.4.0>=3.4.0<3.4.35>=4.0.0<4.1.0>=4.1.0<4.2.0>=4.2.0<4.2.12>=4.3.0<4.3.8 | |
| composer/symfony/symfony | >=4.3.0<4.3.8 | 4.3.8 |
| composer/symfony/symfony | >=4.0.0<4.2.12 | 4.2.12 |
| composer/symfony/symfony | >=3.1.0<3.4.35 | 3.4.35 |
| composer/symfony/cache | >=4.3.0<4.3.8 | 4.3.8 |
| composer/symfony/cache | >=4.0.0<4.2.12 | 4.2.12 |
| composer/symfony/cache | >=3.1.0<3.4.35 | 3.4.35 |
| SensioLabs Symfony | >=3.4.0<=3.4.34 | |
| SensioLabs Symfony | >=4.2.0<=4.2.11 | |
| SensioLabs Symfony | >=4.3.0<=4.3.7 | |
| Fedoraproject Fedora | =31 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://symfony.com/cve-2019-18889
- https://nvd.nist.gov/vuln/detail/CVE-2019-18889
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/cache/CVE-2019-18889.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18889.yaml
- https://github.com/symfony/symfony/releases/tag/v4.3.8
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/
- https://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances
- https://symfony.com/blog/symfony-4-3-8-released
- https://github.com/advisories/GHSA-79gr-58r3-pwm3 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/
Frequently Asked Questions
What is CVE-2019-18889?
CVE-2019-18889 is a vulnerability in Symfony that allows remote code injection through the serialization of certain cache adapter interfaces.
What is the severity of CVE-2019-18889?
CVE-2019-18889 has a severity value of 9.8, making it a critical vulnerability.
How does CVE-2019-18889 affect Symfony?
CVE-2019-18889 affects Symfony versions 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7.
How can I fix CVE-2019-18889?
To fix CVE-2019-18889, update Symfony to version 3.4.35, 4.2.12, or 4.3.8, depending on the Symfony version you are using.
What is the Common Weakness Enumeration (CWE) of CVE-2019-18889?
CVE-2019-18889 is associated with CWE-94, which is the code injection weakness.
- collector/friends-of-php
- collector/nvd-index
- agent/author
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-79gr-58r3-pwm3
- alias/CVE-2019-18889
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/severity
- agent/description
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/composer
- vendor/sensiolabs
- canonical/sensiolabs symfony
- version/sensiolabs symfony/3.4.0
- version/sensiolabs symfony/3.4.34
- version/sensiolabs symfony/4.2.0
- version/sensiolabs symfony/4.2.11
- version/sensiolabs symfony/4.3.0
- version/sensiolabs symfony/4.3.7
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31